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Form is exactly emptiness, emptiness exactly form; 
so it is with sensation, perception, mental reaction, and consciousness. 
All things are essentially empty, not born, not destroyed; 
not stained, not pure; without loss, without gain. 

Therefore in emptiness there is no form, 

no sensation, perception, mental reaction, or consciousness; 

no eye, ear, nose, tongue, body, mind, 

no color, sound, smell, taste, touch, object of thought; 

no seeing and so on to no thinking; 

no ignorance, and no end to ignorance; 

no old age and death, no end to old age and death, 

no anguish, cause of anguish, cessation, path; 

no wisdom and no attainment. 

Since there is nothing to attain, the Bodhisattva lives thus: 
with no hindrance of mind; no hindrance, and hence, no fear; 
far beyond deluded thought, 

RIGHT HERE IS NIRVANA. 

— Erom The Great Prajna-Paramita Heart Sutra 


I saw myself seeing Nirvana, 
but I was there, blocking my view; 
“I see only me,” I said to myself, 
to which I replied, “Me too.” 


— David Bishop 



Preface 


Cryptography is the art of secret writing. It involves transforming information into 
apparently unintelligible garbage so that unwanted eyes will be unable to comprehend 
it. This transformation, however, must be done so that it is reversible, so that individuals 
intended to view the information may do so. This is the traditional use of cryptography. 

I agree with the philosophy that it is wiser to publish your encryption methods than to 
try to keep them secret. Thus, this book and others like it exist. Only government agencies 
endeavor to keep their encryption methods hidden. It is generally thought that publishing 
your ciphers exposes them to an army of brilliant people who will take great joy in point- 
ing out any weaknesses they have. This gives the developer a chance to correct these weak- 
nesses. On the other hand, trying to protect your methods from someone who really wants 
to know what they are probably won’t work. A few bribes here and there will take care of 
that, and once they know your algorithms, they will pay very intelligent people to find weak- 
nesses to exploit. The difference, of course, is that you won’t know that this has happened, 
nor that the precious information you are sending with this cryptosystem is being moni- 
tored. 

A great deal of modern cryptography depends upon the clever manipulation of huge inte- 
gers. Thus, both number theory and abstract algebra play a large role in contemporary meth- 
ods of hiding information. In many respects, Java is a pioneer in computer languages, with 
system security one of its primary missions. Java provides a Biginteger class, and through 
the use of this class, one may write cryptographic routines unbreakable by even the fastest 
supercomputers in the world. This will not change in the near future, nor probably even the 
distant future. The solution to modem cryptanalysis is not more powerful hardware, but more 
powerful mathematics, for modern cryptosystems depend on the intractability of certain 
mathematical problems. 

Java already has security classes defined for it; they are in a package consisting of var- 
ious abstract classes and interfaces, like Cipher, Message, and so on. This book does not 
cover these; rather, the emphasis is in learning the mathematical theory of cryptography, and 
writing algorithms “from the ground up” to implement the theory. For an excellent expo- 
sition of Java security providers and the Java security classes, one should consult Knudsen’s 
book, Java Cryptography by O’Reilly. 
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This book is intended for undergraduate students taking a first course in cryptography. 
I wrote it with both the mathematical theory and the practice of writing cryptographic algo- 
rithms in mind. The chapters present the number theory required, and, in most cases, cryp- 
tosystems are presented as soon as the material required to understand them has been 
completed. No prior knowledge of number theory is necessary, though you should know 
how to use matrices, and should be familiar with the concept of mathematical induction, and 
other methods of proof. There are many math exercises for you, and I believe this is nec- 
essary to deepen one’s understanding of cryptography. A working knowledge of Java is 
assumed. You should have little trouble programming cryptographic algorithms in Java once 
the mathematics is understood. We begin the cryptographic programming “from the ground 
up.” For example, we will first develop our own large integer class in order to gain a deeper 
appreciation of the challenges involved in such construction. 

With Java, one may construct secret key cryptographic systems or public key schemes. 
The concept of secret key cryptography is the traditional view, where both the encryption 
key and the decryption key must be kept secret, or the messages will be compromised. 
Secret key cryptography is often said to involve only one key (often it does), because either 
the encryption key or decryption key is easily obtainable from the other. With public key 
cryptography, each user generates his or her own public key, which he makes known to 
anyone, and a private key, which he keeps to himself. Anyone knowing some individual’s 
public key can encrypt and send messages to that person, but only the intended recipient can 
decrypt it with the private decryption key. It is interesting to note that knowing the public 
encryption key is of almost no help at all in finding the decryption key. 

There are many other aspects of cryptography that Java may also be used to implement; 
for example: 

Signing Messages. A problem with public key cryptosystems is knowing whether or not 
someone who has sent a message actually is the person they claim to be. The concept of 
signing is a technique the sender uses so that the message is known to have come from her. 
This is simply one of various methods used to authenticate people. 

Key Agreement. Since public key encryption and decryption tends to execute more slowly 
than secret key systems, public key systems are often used just to establish secret keys, 
which are then used in message exchange using a quicker method of encryption and decryp- 
tion. 

Database Enciphering. We can use cryptography to encipher entire databases in such a 
way that individuals can recover certain files or records without giving them access to the 
entire database. 

Shadows. This is a method of enciphering highly sensitive information that can be recon- 
structed only with the combination of a certain minimum number of keys or shadows (as 
they are more commonly known) assigned to various individuals. 
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Hashes or Message Digests. A message digest is a special marker sent referencing a 
message. It is used to verify that the message is authentic. Messages, like people, are authen- 
ticated using various techniques. 

Generating Random Numbers. Since computers are designed to operate in a completely 
deterministic fashion, they actually have a very difficult time producing true random num- 
bers. Many of the same mathematical transformations that are used to disguise data are 
also used to produce “pseudorandom” sequences of numbers. 

As you can see, the world of cryptography has many faces. I hope everyone who reads 
this will come to enjoy the beauty in all of them. 


About The Applets 

Since the Internet has swept across the face of the Earth, penetrating homes, businesses, 
and classrooms, people have been trying to figure out how to use it in a way that best suits 
them. The modern Internet streams digital video, audio, photos, and text through high- 
speed connections. Since the receiving device is usually a computer, even more sophisti- 
cated messages can be sent; for example, programs can be downloaded and run live within 
a Web page. One can even run programs on a server thousands of miles away, and have the 
output sent to the receiver. Via the connection of multiple computers storing myriad types 
of data, one can view live maps, weather information, government forms, and so on. One 
can interact with these other machines by the simple click of a mouse. 

The impact of the Internet is highly visible in schools. Never have individuals had such 
easy access to materials for learning, and the tools available now go far beyond text, dia- 
grams, and footnotes. This book, in particular, uses an easily accessible method to demon- 
strate its concepts: Java applets. Applets are programs that run within a Web page, and 
with a few restrictions, behave like regular windowed applications with buttons, text fields, 
check boxes, and so on. 

What makes applets different is that these programs are referenced from an HTML doc- 
ument, and are downloaded and run automatically through the Internet connection. The 
user simply goes to a Web page, and the program pops up and starts running. Contrast this 
to users downloading programs the old-fashioned way: 


• Download the source code. 

• Obtain a compiler for the language the program is written in (this step is often difficult 
and expensive). 

• Compile the program(s). 

• If the programs compile (often not the case), you can now finally run them. 



Anyone with the time, patience, and experience for all this will have a wonderful time 
plodding through all these steps. The rest of us want results now, and with this text, we have 
it. To access the applets in the book, go to the book’s Web site: 

http://computerscience.jbpub.coiii/cryptography 
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Here you will see links to all of the following course resources: 

• The applets 

• Sample data files 

• Program files 

• Instructor’s manual 

The applet names begin with “Test,” and the HTML document associated with each 
applet will have a name something like “TestSomethingApplet.html”. By clicking on such 
a document, you invoke, download, and run some applet. For example, by selecting Test- 
DiscreteLogApplet.html, an html document is brought up, which immediately references an 
applet on the server. In this case, the applet TestDiscreteLogApplet. class is requested, down- 
loaded, and run within the browser window on your computer. 
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You always invoke the applet by selecting its associated HTML document. 

Program Files 

If you wish to view the Java source code for the applets or any of the other classes in the 
text, select the Program Files link. We have included on the next page an example of the 
source code for an applet that demonstrates a block affine cipher in “TestBlockAffine- 
CipherApplet.java”. 
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^ Opened; C:\Doc undents and Settings \D<ivid\Local SeltingsMempoiaiy Internet Files\C 
juiport java.aath.’f; 
jjiport 3ava. applet. *; 

Inport ^ava.auc. ■; 

Import java. avt. event.*; 

public class TestSlockAffineCiphecApplet extends Applet implements ActionListenec ( 

Biginteger shift=null; 

Biglnteger siultipliec=null; 

int blockSize>Q; 

byte[] nsgArcayanull; 

byte[] encnsgAccay^null; 

Label Labeli=Jiew Labei{"Piaintext") ; 

TextField asg=>nnf Textrieid(40) ; 

Label LabeI2»ne« Label ("Ciphertext"); 

TextFxeld encnsg»neif TexcField(40) ; 

Label shiftLabel»new Label ("Shift value: ") ; 

TextField enttyShiftValue^new TextField(40) ; 

Label blockLabelaneu Label("Block size (in bytes):"); 

TextField entcyBlockVaiue»new TextField ( 40 ) ; 

I Label multLabel-new Label("Kultipliec (must be relatively prime to modulus):”); 

TextField entryHultValue»new TextField(40) ; 

Button enciphecButton*iiew Button("Encipher") ; 

Button decipherButton*ne» Button("Deciphec"); 

TextField ouuisg»new Textrield("~) ; 

public void init() ( 

setLayout(new GridLayout(13,l) ) ; 
add(Labell); 

, add(msg); 

add(Label2); 
add(encmsg) ; 

encmsg. setEdi table (false) ; 
add(blockLabel) ; 
add(entrYBlockValue) ; 
add(shiftLabel) ; 
add(entryShlftValue] ; 
edd(nulcLabel) ; 
add(enttyHultValue) ; 

[ add(enciphetButton) ; 

I encipherButton. addActionListener(this) ; 

add(decipherButton) ; 

I decipherButton. addActionListenerCthis) ; 

l< ■ 

Source^ Ii I Insert 



Sample Data Files 

Because cryptography often involves manipulating very large numbers, there are examples 
in the text that incorporate them. These examples are also stored on the book’s Web site. 
Click on the Sample Data Files link to view them. By copying these files and pasting the 
large numbers into a math computation engine, you can verify the results claimed in the 
book. 

Instructor's Manual and Resources 

Instructors of a course using this text have access to a manual that provides solutions to the 
more difficult exercises in the text. There are also programs written just for instructors that 
can be used to generate additional exercises. Permission must be obtained to use this por- 
tion of the site. Please contact your publisher’s representative at 1-800-832-0034 for your 
username and password. 
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A Word of Thanks 

I would like to extend my sincere thanks to Charles J. Colbourn of Arizona State Univer- 
sity and K. T. Arasu of Wright State University, who reviewed this book in its early stages. 
Their insightful comments and suggestions were of great value, and I appreciate the time 
and energy they put in to their reviews. 

To You, THE READER 

I hope you have as much fun reading this book as I had writing it, and I SINCERELY hope 
you use the many applets provided for you online. If you are a student, this goes double for 
you, and if you are a teacher, quadruple. Without the applets, this book is just another crypto 
book, but with them, IT’S AN ADVENTURE! 

HAVE FUN! 
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CHAPTER 1 


A History of Cryptography 


This chapter provides an overview of some of the classical methods of cryptography 
and some idea of how they evolved. None of the methods described here is used today, 
because they are considered either insecure or impractical. We begin with some definitions: 


Definition A cipher, or cryptosystem, is a pair of invertible functions: 

• /j, (known as the enciphering function), which maps from a set S to a set T, based on 
a quantity k called an enciphering key. 

• gj.' (known as the deciphering function), the inverse of/j.. k' is known as the deci- 
phering key. 


The function /^. maps an element v in 5 to an element /j.(v) in T so that determining the 
inverse mapping is extremely difficult without knowledge of k' . An element of S is called 
plaintext, whereas an element of T is called ciphertext. 

Some ciphers are better at satisfying this definition than others. The terms encipher and 
encrypt are synonymous, as are the terms decipher and decrypt. 


Definition If, for some cipher A: = A:', or if k' is easily computable given k, such a 
cipher is called a secret key cipher. However, if k' is extremely difficult to obtain even 
with knowledge of k, such a cipher is called a public key cipher. In this case k is called 
a public key, whereas k' is called a private key. 


1 



1.2 Monoalphabetic Substitution Ciphers 3 


TABLE 1.2 A Sample 
Decoding Codebook 



A decoding codebook would provide the reverse mappings, organized alphabetically by 
codeword, as shown in Table 1.2. 

In practice, both the encoding and decoding codebooks would probably be incorporated 
into one book. 

So, using the previous codebook, the message 

ATTACK ENEMY AT DAWN 
would be encoded as 

RUN EXPLODE LION COMPUTER. 

Though there is some evidence that codes may be more secure than most ciphers, they 
are not used widely today because of the high overhead involved in distributing, maintain- 
ing, and protecting the codebooks. 

MONOALPHABETIC SUBSTITUTION CIPHERS 

The oldest cryptosystems were based on monoalphabetic substitution ciphers. These ciphers 
mapped individual plaintext letters to individual ciphertext letters. They are considered inse- 
cure because they are all vulnerable to a type of analysis called frequency analysis, which 
breaks these ciphers. 

The oldest cipher known is called the Caesar cipher. The enciphering and deciphering 
transformations map an individual letter to another letter in the same alphabet. Specifically, 
a plaintext letter is shifted down 3 letters, with letters near the end of the alphabet wrapping 
around again to the front, as shown in Table 1.3. 

Thus, using this cipher. 


EIRE MISSILE 
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TABLE 1.3 


Plaintext letter A B C D W X Y Z 

Ciphertext letter D E F G Z A B C 


would be enciphered as 

ILim PLWLOH. 

In practice, however, one usually groups these letters into blocks, say 5 letters each. A 
cryptanalyst can easily guess certain mappings if the ciphertext words are the same size as 
the plaintext words. Thus, we would probably send the previous message as 

ILUHP LWLO H. 

To decipher, one simply shifts each ciphertext letter 3 letters up the alphabet, again tak- 
ing wrap-around into account. 

Every cipher has at least one key, which may need to be kept secret. In the case of the 
Caesar cipher, the key is the shift value, say k = 3. This key must certainly be protected 
from unauthorized users, as knowing it allows decryption. In general, we can choose any 
shift value we wish for a Caesar cipher. 


1 .3 FREQUENCY ANALYSIS ON CAESAR CIPHERS 

Of course, the Caesar cipher is easily breakable, using what is called frequency analysis. We 
can proceed in the following way: 

1. Suppose the message is English text. (The message may not be English text, but the prin- 
ciple remains the same.) 

2. Note that the most common letter appearing in English text is “E.” 

3. Examine as much ciphertext as possible. The character appearing most often is proba- 
bly the character “E” enciphered. 

4. The distance between “E” and the enciphered character is the shift value. 

Of course this guess may be wrong, but it is a pretty fair guess with this simple cipher. 
Erequency analysis exploits the fact that languages are biased in that some letters appear 
much more frequently in text than others, and that some ciphers preserve this bias. Ere- 
quency analysis is only useful for simple ciphers, however, such as this one. 

Example. Take a look at the following ciphertext, which was produced using a Caesar 
cipher: 

WFIDZ JVORT KCPVD GKZEV JJVDG KZEVJ JVORT KGPWF IDJFZ KZJNZ KYJVE 
JRKZF EGVIT VGKZF EDVEK RGIVR TKZFE REUTF EJTZF LJEVJ JRCGK YZEXJ 
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RIWJ 

JVEKZ 

RCCPV 

DGKPE 

FKSFI 

EEFKU 

VJKIF 

PVUEF 

KJKRZ 

EVUEF 

KGLIV 

NZKYF 

LKCFJ 

JNZKY 

FLKXR 

ZEKYV 

IVWFI 

VZEVD 

GKZEV 

JJKYV 

IVZJE 

FWFID 

EFJVE 

JRKZF 

EGVIT 

VGKZF 

EDVEK 

RCIVR 

TKZFE 

FITFE 

JTZFL 

JEVJJ 

EFVPV 

VRIEF 

JVKFE 

XLVSF 

UPDZE 

UEFTF 

CFIJF 

LEUJD 

VCCKR 

JKVKE 

LTYFS 

AVTKE 

WKYFL 

XYKEF 

JWZE 

XREUJ 

FFEKF 

EFKYZ 

EBZEX 

EFZXE 

EIRET 

VREUE 

FVEUK 

FZXEF 

IRETV 

EFFCU 

RXVRE 

UUVRK 

YEFVE 

UKFFC 

URXVR 

EUUVR 

KYEFR 

EXLZJ 

YTRLJ 

VFWRE 

XLZJY 

TVJJR 

KZFEG 

RKYEF 

NZJUF 

DREUE 

ERKKR 

ZEDVE 

KJZET 

VKYVI 

VZJEF 

KYZEX 

KFRKK 

RZEKY 

VSFUY 

ZJRKK 

MRCZM 

VJKYL 

JNZKY 

EFYZE 

UIRET 

VFWDZ 

EUEFY 

ZEUIR 

ETVRE 

UYVET 

VEFWV 

RIWRI 

SVPFE 

UUVCL 

UVUKY 

FLXYK 

IZXYK 

YVIVZ 

JEZIM 

RER 








If we count the occurrences of each letter in the text, we come up with the following 
counts; 

A: 1 B: 1 C: 16 D: 14 E: 82 F: 69 G: 10 H: 0 I: 27 J: 47 K: 61 L: 15 

M: 3 N: 5 0: 2 P: 8 Q: 0 R: 45S: 5 T: 21U: 28V: 69W: 9 X: 15 

Y: 28 Z: 47 

The letter E appears most frequently, but this would be the identity map, not a smart 
choice. Otherwise, the most frequently occuning letters are F and V, which each appear 69 
times. Thus, the shift value is likely to be 

dlstanceCE, P) = 1, or distanceCE, V) = 17. 

If we try the shift value of 1, we see that we get only garbage. If we shift each letter of 
the ciphertext to the left by 17, though, we get the beautiful expression: 


FORMI 

SEXAC 

TLYEM 

PTINE 

SSEMP 

TINES 

SEXAG 

TLYFO 

RMSOI 

TISWI 

THSEN 

SATIO 

NPERG 

EPTIO 

NMENT 

ALREA 

GTION 

ANDGO 

NSGIO 

USNES 

SALLT 

HINGS 

AREES 

SENT I 

ALLYE 

MPTYN 

OTBOR 

NNOTD 

ESTRO 

YEDNO 

TSTAI 

NEDNO 

TPURE 

WITHO 

UTLOS 

SWITH 

OUTGA 

INTHE 

REEOR 

EINEM 

PTINE 

SSTHE 

REISN 

OFORM 

NOSEN 

SATIO 

NPERG 

EPTIO 

NMENT 

ALREA 

GTION 

ORGON 

SGIOU 

SNESS 

NOEYE 

EARNO 

SETON 

GUEBO 

DYMIN 

DNOGO 

LORSO 

UNDSM 

ELLTA 

STETO 

UGHOB 

JEGTO 

FTHOU 

GHTNO 

SEEIN 

GANDS 

OONTO 

NOTHI 

NKING 

NOIGN 

ORANG 

EANDN 

OENDT 

OIGNO 

RANGE 

NOOLD 

AGEAN 

DDEAT 

HNOEN 

DTOOL 

DAGEA 

NDDEA 

THNOA 

NGUIS 

HCAUS 

EOFAN 

GUISH 

GESSA 

TIONP 

ATHNO 

WISDO 

MANDN 

OATTA 

INMEN 

TSING 

ETHER 

EISNO 

THING 

TOATT 

AINTH 

EBODH 

ISATT 

VALIV 

ESTHU 

SWITH 

NOHIN 

DRANG 

EOFMI 

NDNOH 

INDRA 

NGEAN 

DHENG 

ENOFE 

ARFAR 

BEYON 

DDELU 

DEDTH 

OUGHT 

RIGHT 

HERE I 

SNIRV 

ANA 








It is not necessary that a monoalphabetic mapping be based on a shift. We can map the 
plaintext alphabet letters to a permutation of the alphabet, as shown in Table 1 .4. 

This particular mapping is based on a keyphrase “THE HILLS ARE ALIVE.” Note that 
the first few letters in the ciphertext column are the initial occurrences of each letter in the 
phrase. This was often done in practice, as it made the permutation easy to reconstruct. 
However, a permutation certainly need not be based on such a keyphrase. 


Plaintext Letter Ciphertext Letter 


A 

T 

B 

H 

C 

E 

D 

1 

E 

L 

F 

S 

G 

A 

H 

R 

1 

V 

J 

B 

K 

C 

L 

D 

M 

F 

N 

G 

0 

J 

P 

K 

Q 

M 

R 

N 

S 

0 

T 

P 

U 

Q 

V 

U 

w 

W 

X 

X 

Y 

Y 

z 

Z 
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.4 FREQUENCY ANALYSIS ON MONOALPHABETIC SUBSTITUTION 
CIPHERS 

Frequency analysis can be used for any permutation of single letters of an alphabet, not just 
a shift as in the Caesar cipher. The relative frequencies of all letters in English text (and 
many other languages) are well known. These frequencies can be used to break any cipher 
that maps individual letters. The approximate frequency distribution of letters in typical 
English text is shown in Figure 1.1. 

If analysts have enough ciphertext, they can use this distribution to make fairly good 
guesses about how individual letters are mapped in a monoalphabetic substitution cipher. 
For example, the most common letter in the ciphertext probably corresponds with the plain- 
text letter “E,” the second most common letter in the ciphertext probably corresponds with 
“T,” and so on. Once the analyst starts filling in these more common letters, they can begin 
to make some good guesses for the other letters, and they eventually fill out enough letters 
so that they uncover the secret mapping. 

Example. Consider the following ciphertext, which was produced by a mapping of the 
alphabet A ... Z to a permutation of the alphabet. 


HUFMD 

JCXNE 

ONUEZ 

UEJCX 

NUYMM 

TDHLF 

XTGYT 

HUFEY 

KENEF 

MXFCD 

GTXTQ 

JEFTZ 

YNHSJ 

FNUEM 

FYCNE 

FLFNX 

CEPSX 

FHGYH 

FJNUF 

JENHD 

JFNEO 

NDSMU 

FQSXC 

FNEEX 

TZYHU 

NDBJX 

QUHED 

SNTEN 

NBDJU 

XNTYE 

FNNYK 

FEAET 

HUDSQ 

UXGYM 

KHUJD 

SQUHU 

FAYMM 

FODBH 

UENUY 

CDGDB 

CFYHU 

XGXMM 

BEYJT 

DEAXM 

BDJOD 

SYJEG 

XHUEF 

ODSJJ 

DCYTC 

ODSJN 

HYBBH 

UEORD 

EBDJH 

EEODS 

ZJFZY 

JEYHY 

LMFLF 

BDJEE 

FXTHU 

FZJEN 

FTRFD 

BEGET 

FEXEN 

ODSYT 

DXTHE 

OUFYC 

GXHUD 

XMEOR 

SZDAF 

JBMDG 

NNSJF 

MOQDD 

CTFNN 

YTCMD 

AEGXM 

MBDMM 

DGEEY 

MMHUF 

CYOND 

BEOMX 

BFYTC 

XGXMM 

CGFMM 

XTHUF 

UDSNF 

DBHUF 

MDJCB 

DJFAF 

J 



c 



FIGURE 1.1 Relative Frequencies of English Letters (percent) 
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We must count the frequency of each letter in the ciphertext, and then compare these 
frequencies with the relative frequency table. Here are the counts for each letter: 


A 

6 

B 

17 

C: 

17 

D: 

39 

E : 

17 

F: 

67 

G 

13 

H 

25 

I : 

0 

J: 

26 

K: 

3 

L: 

4 

M 

29 

N 

30 

0: 

15 

P: 

1 

Q: 

6 

R: 

3 

S 

15 

T 

21 

U: 

28 

V: 

0 

W: 

0 

X: 

26 

Y 

26 

Z 

7 










F is by far the most common letter, and its plaintext partner is probably E. The next most 
common letters are D, N, M, U, J, X, and Y, which are likely the mappings of A, I, N, O, R, 
S, and T. The least frequent ciphertext letters are I, V, and W, which are likely the mappings 
of Q, X, and Z. These guesses may of course be wrong, but once you start trying different 
combinations words will start to appear in the plaintext. As you progress, you can start to 
make educated guesses about the mappings; this process starts out slowly, but quickly speeds 
up. Table 1.5 shows the mapping for this cipher. 

Using this mapping, we see that the plaintext is: 


THELO 

RDISM 

YSHEP 

HERDI 

SHALL 

NOTBE 

INWAN 

THEMA 

KESME 

LIEDO 

WNING 

REENP 

ASTUR 

ESHEL 

EADSM 

EBESI 

DEQUI 

ETWAT 

ERSHE 

RES TO 

RESMY 

SOULH 

EGUID 

ESMEI 

NPATH 

SOFRI 

GHTEO 

USNES 

SFORH 

ISNAM 

ESSAK 

EEVEN 

THOUG 

HIWAL 

KTHRO 

UGHTH 

EVALL 

EYOFT 

HESHA 

DOWOF 

DEATH 

IWILL 

FEARN 

OEVIL 

FORYO 

UAREW 

ITHME 

YOURR 

ODAND 

YOURS 

TAFFT 

HEYCO 

MFORT 

MEYOU 

PREPA 

REATA 

BLEBE 

FOREM 

EINTH 

EPRES 

ENCEO 

FMYEN 

EMIES 

YOUAN 

OINTM 

YHEAD 

WITHO 

ILMYC 

UPOVE 

RFLOW 

SSURE 

LYGOO 

DNESS 

ANDLO 

VEWIL 

LEOLL 

OWMEA 

LLTHE 

DAYSO 

FMYLI 

FEAND 

IWILL 

DWELL 

INTHE 

HOUSE 

OETHE 

LORDF 

OREVE 

R 



1.5 POLYALPHABETIC SUBSTITUTION CIPHERS 

As one can readily see, monoalphabetic substitution ciphers are notoriously easy to break. 
In the case of the Caesar cipher, the shift value can be uncovered rather easily. One way clas- 
sical cryptographers dealt with this was to use different shift values for letters depending on 
their position in the text. For example, one may do something like the following: 

• Let «!, 02 , . . . , a„ be the letters in a plaintext message. Consider the letter a^: 

• If p is divisible by 4, shift Op 1 letters down the alphabet. 

• If p is of the form 4A: -i- 1 for some k, shift Op 5 letters down the alphabet. 

• If p is of the form Ak+ 2 for some k, shift 13 letters down the alphabet. 

• If p is of the form 4A: -i- 3 for some k, shift Op 2 letters down the alphabet. 

Using this scheme, we can encipher the message 

DEFCON POUR 
as shown in Table 1.6. 


Plaintext Letter Ciphertext Letter 


A 

Y 

B 

L 

C 

R 

D 

C 

E 

F 

F 

B 

G 

Q 

H 

U 

1 

X 

J 

1 

K 

K 

L 

M 

M 

E 

N 

T 

0 

D 

P 

Z 

Q 

P 

R 

J 

S 

N 

T 

H 

U 

S 

V 

A 

w 

G 

X 

V 

Y 

0 

z 

W 
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TABLE 1.6 


Plaintext DE FCON FOUR 
Shift value 5 13 2 7 5 13 2 7 5 13 

Ciphertext 1 R HJ TA HVZE 


A B 

C 

D 

E 

F 

G 

H I 

J 

K 

L 

M 

N 

O 

P 

Q 

R 

S 

T 

U 

V 

W 

X 

Y 

Z 

0 1 

2 

3 

4 

5 

6 

7 8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 

24 

25 


TABLE 1.7 


The message to send is 
IRHJT AHVZE. 

Note that the way we group the letters has nothing to do with how many shift values are 
being used; in fact, we don’t want to give the analyst any clues by grouping the letters in 
blocks the same size as the number of shift values! 

It was difficult for classical cryptographers to remember shift values when using a large 
number of them. They certainly didn’t want to write them down, because the shift values 
were the secret key. So instead they used letters to represent the shifts in the form of a key- 
word, or a long keyphrase. Each letter in the alphabet was associated with its position, as 
shown in Table 1.7. 

From now on, when our alphabet consists of only capital English characters we will call 
this the “ordinary” alphabet. These keywords and keyphrases were easily remembered. For 
example, the keyphrase 

BLAST OFF 

represents the shift values 

1 12 0 18 19 14 5 5. 

These are the 8 shift values that would be used on a message, repeating the sequence every 
eighth letter. 


1 .6 THE VIGENERE CIPHER AND CODE WHEELS 

One convenient tool used for the previous type of cipher (called a simple shift Vigenere 
cipher) was a code wheel. The outer ring of the wheel represented plaintext letters, and the 
inner wheel represented ciphertext letters. Using a letter from a keyword or keyphrase, say 
“S,” one would rotate the inner wheel and position the keyword letter under the letter “A.” 
To encipher, one would go to the plaintext letter in the outer wheel, say “G,” and find its cor- 
responding ciphertext letter, in this case “Y.” This is the position of the wheel illustrated in 
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FIGURE 1.2 A Sample Code Wheel 


Figure 1.2. To decipher, one would position the keyword letter under “A,” hut would go from 
the inner ciphertext wheel to the outer plaintext wheel. 


BREAKING SIMPLE VIGENERE CIPHERS 

If enough ciphertext is received, and if the analyst makes a good guess for the key length, 
say n, frequency analysis also breaks these types of polyalphabetic substitution ciphers. An 
analyst can separate the ciphertext into n categories, and then do a separate frequency analy- 
sis on each category. In this way, one could derive all of the n shift values. The problem with 
using a keyword in this way is that it would eventually repeat, and this fact could be 
exploited. 
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TABLE 1.8 


Key Length = 5 


Category 1 

Category 2 

Category 3 

Category 4 

Category 5 

XIPGL 

ZIASN 

QSWGO 

TTRPX 

YNTOF 


Suppose we have the ciphertext message 

XZQTY IISTN PAWRT GSGPO LNOXP. 

If the analyst assumes (correctly) that the keyword is of length 5, she would separate the 
ciphertext into 5 categories, as described in Table 1.8. 

She then does a separate frequency analysis for each category; in this way she can derive 
the shift values for all letters in categories 1, 2, 3, 4, and 5. (Of course, this example does 
not provide nearly enough ciphertext to do this, but the method works as described.) How 
does one determine the key length? Random guessing may work, but perhaps only after a 
lot of work. The method described here is often useful. 

1.8 THE KAISISKI METHOD OF DETERMINING KEY LENGTH 

The Kaisiski method is a way of determining key length. This method takes advantage of 
the fact that languages contain not only frequent individual characters, but also frequently 
occurring letter pairs and letter triples. We can use this to spot recuning triples in the cipher- 
text. This will happen when a common triple falls on, and is enciphered by, the same por- 
tion of the keyword. By noting the distance between these recurring blocks of text in the 
ciphertext, we can make a good guess for the key length. 

I£xAMPLE. Suppose the triple FSI appears in the ciphertext 12 times, and the distance between 
the first character (F) of each is as shown in Table 1.9. 

Note that all but 2 of the distances in the table are multiples of 7. (The sixth appearance 
of FSI came about probably by coincidence, and probably does not represent the same plain- 
text triple). A good guess for the key length being used here is 7. 

Example. Consider the following ciphertext, which was formed using a Vigenere cipher on 
uppercase English letters: 

LJVBQ STNEZ LQMED LJVMA MPKAU EAVAT LJVDA YYVNF JQLNP LJVHK 
VTRNF LJVCM LKETA LJVHU YJVSF KRFTT WEFUX VHZNP 

If we use the Kaisiski method, we see that the triple LJV keeps reappearing. The distances 
between each occurrence of LJV are shown in Table 1.10. 

This tells us that it is very likely that the key length is 5. We now separate the ciphertext 
into 5 categories, and do a frequency analysis on each category, as shown in Table 1.11. 

In each category, the most common letter probably corresponds with the plaintext letter 
E, T, I, N, or R. It would be easier to determine the shift values if we had more text to work 
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with, since E is more likely to appear than any other letter in plaintext. However, we have 
even more information: The most common triple in English is THE, and in this example it 
probably corresponds with the triple LJV. Even with this short amount of text, we can try a 
few possibilities. The one that works is shown in Table 1.12. 

Thus, we derive the keyword 


SCRAM 
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TABLE 1.11 



TABLE 1.12 


and based on this, we can recover the plaintext. 

THEBE ARWEN TOVER THEMO UNTAI NYEAH THEDO GWENT ROUND THEHY 
DRANT THECA TINTO THEHI GHEST SPOTH ECOUL DFIND 


1 .9 THE FULL VIGENERE CIPHER 

The full Vigenere cipher is similar to the simple shift Vigenere in that it uses a keyword or 
keyphrase. However, in the full Vigenere cipher, rather than using a series of shift values ki, 
k 2 , . ■ . , k„, each letter in the keyword refers to a general permutation gj, € 2 , ■ ■ ■ , e„ of the 
alphabet. Enciphering in this way is aided by the use of a table such as Table 1.13. 




1 .9 The Full Vigenere Cipher 
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TABLE 1.13 



■■ 

■■ 

■■ 

■■ 

■■ 

■■ 

pa 

in 

■■ 

■I 

m 

■■ 

m 

ai 

■■ 

■■ 

■■ 

■■ 

m 

■■ 

m 

m 

m 

X 

Y 

Z 


A 

D 

u 

U 

C 

r 


n 


J 

rv 

L 

IVI 

IN 

u 

r 

u 

n 

O 

* 

U 

V 

VV 

A 

F 

W Y 

G 

B 

D 

z 

1 

X 

V 

H 

A 

L 

K 

J 

u 

E 

T 

c 

N 

R 

p 

s 

M 

0 

Q 

B 

G 

A 

Y 

0 

M 

X 

c 

w 

H 

z 

N 

B 

S 

T 

E 

V 

P 

D 

K 

Q 

U 

L 

F 

R 

1 

J 

C 

L 

Y 

B 

0 

N 

1 

z 

c 

K 

M 

J 

X 

H 

G 

A 

E 

T 

Q 

F 

V 

D 

W 

P 

R 

S 

U 

D 

F 

D 

1 

V 

Z 

H 

E 

G 

U 

Y 

B 

T 

K 

P 

W 

C 

S 

N 

Q 

J 

M 

0 

A 

L 

X 

R 

E 

Q 

T 

G 

S 

A 

R 

Z 

P 

B 

H 

X 

F 

J 

0 

Y 

K 

U 

D 

W 

1 

M 

V 

C 

N 

L 

E 

F 

M 

X 

C 

P 

0 

N 

F 

W 

E 

V 

1 

Q 

B 

D 

G 

H 

L 

Z 

U 

K 

R 

Y 

J 

T 

A 

S 

G 

F 

E 

P 

z 

D 

Y 

0 

1 

C 

W 

B 

Q 

X 

J 

S 

N 

H 

A 

R 

T 

G 

L 

K 

V 

M 

U 

H 

0 

B 

Z 

M 

N 

Y 

A 

L 

U 

R 

D 

C 

K 

P 

H 

Q 

F 

X 

J 

E 

S 

T 

G 

1 

W V 

1 

N 

F 

Y 

D 

Z 

H 

0 

E 

A 

G 

P 

W 

C 

V 

M 

1 

J 

T 

R 

B 

Q 

L 

K 

S 

U 

X 

J 

S 

A 

U 

M 

E 

K 

0 

N 

J 

F 

C 

P 

T 

H 

Y 

V 

L 

G 

Q 

Z 

D 

X 

1 

R 

B 

w 

K 

E 

W 

N 

D 

L 

X 

U 

K 

0 

F 

V 

M 

T 

C 

S 

R 

1 

P 

Z 

G 

Q 

J 

Y 

H 

A 

B 

L 

M 

B 

L 

T 

A 

S 

N 

X 

J 

W 

D 

U 

V 

0 

C 

K 

Q 

P 

1 

F 

Z 

G 

R 

E 

Y 

H 

M 

J 

1 

0 

C 

W 

H 

U 

M 

B 

V 

G 

N 

Y 

F 

P 

K 

L 

Y 

D 

X 

E 

R 

Q 

S 

Z 

A 

N 

E 

S 

C 

Y 

G 

Z 

R 

U 

D 

P 

0 

F 

A 

H 

T 

V 

K 

Q 

1 

M 

B 

X 

J 

L 

w 

N 

0 

B 

Z 

K 

J 

W 

P 

U 

Y 

L 

A 

X 

H 

V 

R 

M 

1 

F 

Q 

G 

0 

S 

N 

C 

T 

E 

D 

P 

Z 

Y 

0 

U 

M W 

N 

B 

V 

D 

G 

P 

K 

T 

A 

R 

H 

C 

X 

J 

1 

E 

L 

Q 

S 

F 

Q 

1 

V 

E 

H 

Q 

J 

F 

D 

K 

U 

Z 

G 

R 

A 

T 

P 

C 

S 

Y 

M W 0 

L 

B 

X 

N 

R 

c 

B 

U 

Y 

T 

G 

N 

P 

E 

S 

D 

Q 

Z 

0 

A 

M 

F 

L 

W 

K 

1 

R 

X 

J 

H 

V 

S 

V 

E 

R 

D 

S 

Q W 0 

G 

F 

C 

P 

Y 

J 

U 

N 

H 

L 

X 

1 

K 

Z 

T 

B 

A 

M 

T 

w 

B 

R 

A 

P 

0 

D 

F 

T 

C 

M 

X 

Y 

G 

U 

E 

Q 

N 

1 

Z 

V 

L 

S 

H 

K 

J 

U 

R 

B 

0 

M 

A 

N 

T 

C 

D 

V 

L 

Q 

J 

Z 

E 

S 

K 

U 

1 

W Y 

P 

H 

F 

X 

G 

V 

C 

Z 

B 

N 

G 

L 

0 

Y 

F 

X 

K 

M W 

H 

R 

D 

P 

J 

s 

A 

1 

Q 

U 

E 

V 

T 

w 

A 

s 

P 

Y 

Q 

R 

G 

F 

D 

E 

Z 

H 

0 

T 

V 

1 

B 

X 

N 

U 

J 

L 

K W C 

M 

X 

P 

Q 

0 

Z 

M 

X 

Y W 

S 

L 

N 

U 

K 

V 

T 

1 

J 

D 

G 

B 

R 

E 

A 

F 

C 

H 

Y 

M 

Y 

X 

0 

A 

N 

V 

C 

L 

U 

W 

B 

1 

T 

G 

K 

Q 

J 

P 

Z 

H 

R 

S 

E 

D 

F 

z 

Q 

P 

W 0 

Y 

Z 

N 

X 

H 

M 

S 

J 

L 

1 

U 

A 

G 

C 

T 

E 

F 

V 

D 

K 

B 

R 
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Each row is a permutation of the ordinary alphabet; the leftmost letter of each row is 
referenced by the keyword. The first row in the table represents the plaintext letter. To enci- 
pher the plaintext letter T using the key letter D, for example, we find the letter in the cell 
referenced by row D, column T. This yields the ciphertext letter J. 

3xAMPLE. Encipher the message 
HAHKOWWEW RULZ 
using the keyphrase 
SPICE. 

By locating each ciphertext letter in the manner described previously, we get 
OZTJY JTZGD KPX. 


Decryption should be simple to figure out. What makes the full Vigenere cipher slightly 
superior to the simple shift Vigenere is that the full relative frequency distribution of the lan- 
guage may be necessary to break the former, whereas only the most common letter is needed 
to break the latter. 


1.10 THE AUTO-KEY VIGENERE CIPHER 

Vigenere ciphers are our earliest examples of stream ciphers. Stream ciphers are those that 
encipher letters based on their position in the plaintext. Ideally, the key being used should 
never repeat, as this aids the cryptanalyst. Some stream ciphers make the plaintext and/or 
the ciphertext part of the encryption process; such is the case with the auto-key Vigenere. 

This type of cipher begins with a priming key of length n, say k^, ki, . . . , Encryp- 
tion for the first n characters is done the same way (using the key) as for the simple shift 
Vigenere, but after that, to encipher the /th character of the plaintext, we add to it (with 
wrap-around) the {i — n)th letter of the plaintext. This is easily seen with an example. 


QxAMPLE. Eor this example, it is convenient to see the letter-number associations of the 
ordinary alphabet. (See Table 1.14.) 

Suppose we wish to encipher the message 


LIGHT SPEED CHEWIE WOW 


A B 

C 

D 

E 

F 

G 

H I 

J 

K 

L 

M 

N 

0 

P 

Q 

R 

S 

T 

U 

V 

W 

X 

Y 

Z 

0 1 

2 

3 

4 

5 

6 

7 8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 

24 

25 


TABLE 1.14 Letter-Number Associations of the Ordinary Alphabet 
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TABLE 1.15 


Plaintext LI GHTSPEEDCHEWI ENOW 
Key ARGHLI GHTSPEEDCHEWI 
Ciphertext L ZMOEAVLXVRLI Z KLRKE 


using the keyword 
ARGH 

and an auto-key Vigenere. First, we write the plaintext, and underneath it we write the prim- 
ing key, followed by as much of the plaintext as necessary to fill out the line. Underneath 
this, we do a simple shift to generate the ciphertext shown in Table 1.15. 

How does one recover the plaintext when the plaintext is part of the key? It should be 
easy to see that only knowledge of the priming key is necessary. Once we use the key to 
decrypt the first n characters of the ciphertext, we derive the first n characters of the plain- 
text, and hence can use it to decrypt more ciphertext. 

One must be particularly careful with ciphers like these that no errors are made in the 
encryption phase, for a single miscalculated character affects an entire series of characters 
following it. Care must also be taken to ensure that no errors occur during transmission. 

1.11 THE RUNNING KEY VIGENERE CIPHER 

Another alternative to the auto-key Vigenere is called a running key Vigenere. It makes use 
of a very long key in the form of meaningful text, as in a book, of which both the sender 
and intended receiver have a copy. 

Example. Suppose we are working with the ordinary alphabet. Again, we show the ordinary 
letter/number associations, in Table 1.16, for quick reference. 

To encrypt the message 

TORA TORA TORA 

we use a passage from a book, such as a particular edition of the Bible, as the key: 

AND GOD SAID LET THERE BE LIGHT. 

The encryption proceeds as a simple shift, as shown in Table 1.17. 

To decrypt, one simply needs to know which passage from which book to use, and the 
plaintext is easily regained. 


ABCDEFGHI J KLMNOPQRSTUVWXYZ 
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 


TABLE 1.16 Letter-Number Associations of the Ordinary Alphabet 
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TABLE 1.17 Plaintext TORATORATORA 
Key ANDGODSAIDLE 

Ciphertext TBUGHRJ ABRDE 


1.12 BREAKING AUTO-KEY AND RUNNING KEY VIGENERE CIPHERS 

Though the auto-key Vigenere and the running key Vigenere evade the problem of the 
repeating key, they are still vulnerable to frequency analysis. This is because plaintext is being 
used for the key. Even though this plaintext never repeats, it still provides information. This 
is because high frequency letters in the key will often encipher high frequency letters in the 
message. This information is often enough to recover messages. 

1.13 THE ONE-TIME PAD 

One solution to thwarting frequency analysis on polyalphabetic substitution ciphers was to 
use a truly random key that would never repeat. Such a key was called a one-time pad. 
These were notebooks consisting of sheets with tables of random numbers on them. The ran- 
dom numbers were used as shift values. Each sheet in the pad was different from every 
other, and each sheet was used only once. Encrypting using a one-time pad would look 
something like Table 1.18. 

Using this particular sheet from a one-time pad, the ciphertext message 

WHTAB PJTAUCDHZL 
is produced from the plaintext message 

ENGAGE WARP DRIVE. 

If the message does not fill out the sheet, the rest of the sheet is ignored. After the sheet 
is used, it is destroyed. The recipient of the message would also have an identical one-time 
pad. The messages are numbered, so the recipient would know which sheet to use. They 
would use the same shift values to shift back to the plaintext. 

The one-time pad is the ultimate cipher, if used properly. In terms of ciphertext analy- 
sis, it is totally secure. In fact, it is the most secure cipher possible. There is no way an ana- 


Plaintext letter 

E 

N 

G 

A 

G 

E 

W 

A 

R 

P 

D 

R 

I 

V 

E 






Shift value 

9 

20 

13 

0 

21 

1 

13 

19 

9 

5 

25 

12 

25 

4 

7 

25 

0 

8 

8 7 

24 

Ciphertext letter 

N 

H 

T 

A 

B 

F 

J 

T 

A 

U 

C 

D 

H 

Z 

L 






Plaintext letter 
Shift value 

2 

6 

18 

16 

10 

23 

5 

11 

12 

13 

6 

22 

22 

17 

3 

8 

0 

0 

19 4 

15 


Ciphertext letter 


TABLE 1.18 
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lyst can guess the key if it is a potentially infinite sequence of random numbers. It is math- 
ematically provable that any plaintext message could map to some particular ciphertext 
message if random numbers are used; thus, the ciphertext provides absolutely no informa- 
tion to the analyst at all. 

Of course, the reason one-time pads are not used today is because they are simply imprac- 
tical. The distribution and protection of the pads is a logistical nightmare. For example, if 
all the sheets in a pad were used up, it would have to be replaced with a new pad consist- 
ing of entirely different random numbers. However, one-time pads have been used; in par- 
ticular, certain embassies have used them for highly sensitive communications with their 
governments. 


1.14 TRANSPOSITION CIPHERS 

Transposition ciphers were simply a permutation of the letters in a plaintext message; that 
is, they reordered the letters of the message. This reordering was specified for blocks of a 
predetermined size, and the reordering would occur within each block. Say we choose a 
block size of 5, and for a particular block we specify the following: 

The F' letter becomes the 4* letter, 

the 2"'^ letter becomes the 3'^‘* letter, 

the 3'“* letter becomes the F‘ letter, (*) 

the 4* letter becomes the 5* letter, and 

the 5* letter becomes the 2"'^ letter. 

A short way of denoting this permutation is to use the notation 

(1 45 2 3), 

which becomes meaningful if you just rearrange the statements in (*). 

The F‘ letter becomes the 4* letter, 
the 4* letter becomes the 5* letter, 
the 5* letter becomes the 2'“^ letter, 
the 2"'^ letter becomes the 3'^‘* letter, and 
the 3'“* letter becomes the F‘ letter. 

Suppose we have the plaintext message 
THE SKY PALLING PLEASE ADVISE 
which we split into blocks of length 5: 

THESK YEALL IWGPL EASEA DVISE 

If we use the permutation defined by (’), we get the following scrambled blocks, which 
comprise the ciphertext. 

EKHTS ALPYL GLNIP SAAEE lEVDS 
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By themselves, transposition ciphers are considered very weak ciphers. Anyone who has 
played anagrams or has done unscrambling puzzles in the newspaper can testify to this. 
However, when transposition is used in combination with substitution, one can produce 
very powerful ciphers. Many modern ciphers are based on this idea. 

1.15 POLYGRAM SUBSTITUTION CIPHERS 

Mapping single letters to single letters is far too vulnerable to be useful. Thus, cryptogra- 
phers eventually came up with the idea of mapping entire blocks of plaintext letters to blocks 
of ciphertext letters. The ciphertext blocks didn’t necessarily have the same length as the 
plaintext blocks. For example, suppose we wish to map 8 letter blocks to 8 letter blocks. In 
general, we could specify the mapping shown in Table 1.19. 

There are clearly a lot of 8-letter plaintext blocks in the range AAAAAAAA through 
ZZZZZZZZ (26®, exactly). If one wanted to do frequency analysis on such a scheme, he 
would require a table of 26® = 208,827,064,576 blocks, and would have to know the rela- 
tive percentages for which each 8-letter block appears in typical English text (if that is the 
language being used). Then, he would need an enormous amount of ciphertext so that he 
could determine the relative frequency of the 8-letter ciphertext blocks, and equate cipher- 
text blocks to plaintext blocks. This is clearly infeasible, both in terms of the time and stor- 
age requirements. Thus, doing frequency analysis on blocks of letters is much harder than 
doing frequency analysis on individual letters. However, if the cryptosystem does not use 
a sufficiently large block size, frequency analysis is still possible. An example follows. 

1.16 THE PLAYFAIR CIPHER 

The Playfair cipher was a cryptosystem that mapped digraphs (2-letter pairs) to digraphs. 
The letters were arranged in a 5 X 5 square. There are 26 letters in the ordinary alphabet, 
so the letters I and J were equated. This is the simplest 5X5 Playfair square: 


A 

B 

C 

D 

E 

F 

G 

H 

l/J 

K 

L 

M 

N 

0 

P 

Q 

R 

S 

T 

U 

V 

W 

X 

Y 

Z 


TABLE 1.19 

AAAAAAAA 

maps 

to 

ZXCIJCDV 


AAAAAAAB 

maps 

to 

APQODFIM 


ZZZZZZZZ 

maps 

to 

SSTFQQWR 
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The letters in the square, however, were usually permuted, often based on a keyword or 
keyphrase. The Playfair Square that follows is derived from the keyphrase “The quick brown 
fox jumped over the lazy dogs.” 


T 

H 

E 

Q 

U 

l/J 

C 

K 

B 

R 

0 

W 

N 

F 

X 

M 

P 

D 

V 

L 

A 

Z 

Y 

G 

S 


It is easy enough to see how this is done. You fill in the square with letters from the 
keyphrase, avoiding duplicates. If the keyphrase does not contain all 26 letters, you fill out 
the rest of the table with the unused letters, in order. A Playfair square based on the keyphrase 
“Since by man came death” follows. 


S 

l/J 

N 

C 

E 

B 

Y 

M 

A 

D 

T 

H 

F 

G 

K 

L 

0 

P 

Q 

R 

U 

V 

W 

X 

Z 


Here is how to encrypt with the square: The plaintext pair of letters p, q is mapped to the 

ciphertext letters c, d as follows: 

1 . If p and q are in both different columns and different rows, they define the corners of a 
square. The other 2 corners are c and d; c is the letter in the same column as p. 

2 . If p and q are in the same row, c is the letter to the right of p, and d is the letter to the right 
of q (wrapping around if necessary). 

3. If p and q are in the same column, c is the letter below p, and d is the letter below q (with 
wrap-around). 

4 . If p = q, the letter “X” is inserted into the plaintext between the doubled letters. The eval- 
uation continues with the new pair p, and q = “X.” If there is only one letter trailing at 
the end (instead of a full pair), add a final letter “X.” 
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HxAMPLE. 


We use the following square 


L 

0 

V 

E 

I/J 

S 

A 

M 

N 

Y 

P 

D 

R 

T 

H 

G 

B 

C 

F 

K 

Q 

U 

W 

X 

Z 


to encrypt the message 
AMBASSADOR SHOT. 

First, group the letters in pairs 
AM BA SS AD OR SH OT. 

Now look for any douhled letter pairs and insert an X between them. Regroup the plain- 
text. 

AM BA SX SA DO RS HO TX 

If there are not enough letters to make the final pair, add another X at the end, as done 
here. If one follows the rules outlined previously, one should obtain the following cipher- 
text: 

MN UD QN AM BA MR ID PE 

The rules for decryption should be easy to figure out; the same Playfair square is used. 
(Of course — the square is the key.) The ciphertext pair of letters c, and d, are mapped to the 
plaintext letters p and q in the following way. 

1. If c and d are in both different columns and different rows, they define the corners of a 
square. The other 2 corners are p and q; p is the letter in the same column as c. 

2. If c and d are in the same row, p is the letter to the left of c, and q is the letter to the left 
of d (wrapping around if necessary). 

3. If c and d are in the same column, p is the letter above c, and q is the letter above d (with 
wrap-around). 

Because of the way enciphering was done, doubled letter ciphertext pairs will not occur. 
The recipient must remove from the recovered plaintext any letter X’s which do not make 
sense. They must also determine, since I and J are equated, whether a recovered plaintext 
I/J is an I or a J. 
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FIGURE 1.3 Percentage of Common Digraphs in English Text 


1.17 BREAKING SIMPLE POLYGRAM CIPHERS 

The Playfair cipher, for all its complicated rules, is not secure. Digraphs are not large enough 
blocks to rule out the use of frequency analysis. Tables that record the relative frequency of 
digraphs in typical English text exist (as well as for many other languages). For example, 
the most common digraph in English text is “TH,” followed by “HE.” Using such tables, 
one can break a Playfair cipher given enough ciphertext. A complete table is often not even 
necessary; a partial table will often be enough, such as the chart shown in Figure 1.3. 

Relative frequency tables for English exist even for trigraphs (3-letter blocks); the most 
common is “THE,” followed by “AND” and “THA.” Such tables exist for even larger blocks. 
Modern polygram ciphers use a block size of at least 8 characters. 

1 .18 THE JEFFERSON CYLINDER 

None other than the American statesman Thomas Jefferson invented the Jefferson cylinder. 
It was an ingenious device that provided very secure ciphers, and it was used for many 
years. The cylinder consisted of 36 wheels. Each wheel had printed on it a complete (scram- 
bled) alphabet. A simplified drawing of a typical Jefferson cylinder is shown in Figure 1 .4. 

To encipher, one needed to rotate the wheels so that the plaintext appeared along one of 
the rows in the cylinder. To select the ciphertext, one would simply select any of the other 
25 rows. Rotating the wheels so that the ciphertext would appear in one of the rows did 
deciphering. Then they would search the other 25 rows of the cylinder for meaningful text. 

What made the Jefferson cylinder so powerful was the huge size of its rows, or blocks; 
frequency analysis on such blocks, each consisting of 36 characters, was literally impossi- 
ble at the time. 

The Jefferson cylinder eventually fell into disuse because of its impracticality. (This is 
why most of the excellent classical ciphers were rejected; they were too hard to implement.) 
Every authorized user of the cryptosystem would need his or her own cylinder. If a single 
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cylinder fell into the wrong hands, the cipher would become useless; in that case, one solu- 
tion would be to reorder the wheels on the cylinder, ensuring that no unauthorized persons 
receive this vital information. 

1.19 HOMOPHONIC SUBSTITUTION CIPHERS 

Another approach taken to thwart frequency analysis was the use of homophones. This was 
a system of enciphering wherein letters that occurred more frequently in the language were 
given multiple choices of ciphertext symbols. The more frequent a plaintext letter was, the 
more choices it would have. 

For quick reference, the relative frequencies of letters in typical English text are shown 
again, in Figure 1.5. 



FIGURE 1.5 Relative Frequencies of English Letters (percent) 
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The following table is a sample of a homophonic substitution scheme. This scheme is 
based on the distribution of letters in typical English text. So, for example, because the let- 
ter E appears about 13 percent of the time in such text, there are 13 choices of ciphertext 
replacements for E in the table. This is called a table of homophones. (See Table 1.20.) 

Using this table, the message “RETREAT” could be enciphered as 

DQ AW CC AQ CO BS DB. 

It could also be enciphered in other ways depending on our choices for those letters hav- 
ing multiple selections. It is important to make a selection as randomly as possible. This ran- 
domization “evens out” the relative frequency distribution of the ciphertext digraphs, so 
equating “humps” in the ciphertext to “humps” in the plaintext becomes difficult, if not 
impossible. 

Note that the ciphertext is larger than the plaintext. This is necessary if individual letters 
have multiple choices without introducing new alphabetic symbols. Encryption is a 


Plaintext 

letter 






Choices for ciphertext unit 




A 

BU 

CP 

AV 

AH 

BT 

BS 

CQ 





B 

AT 











C 

DL 

BK 

AU 









D 

BV 

DY 

DM 

AI 








E 

DK 

CO 

AW 

BE 

AA 

CR 

BM 

CS AF 

AG 

BO 

BN BE 

F 

BW 

CM 

CN 









G 

DN 

BJ 










H 

AS 

CL 

CK 









I 

DJ 

BI 

AX 

CJ 

AB 

BP 

CU 

CT 




J 

BX 











K 

DI 











L 

AR 

BH 

Cl 

AJ 








M 

DH 

BG 

AY 









N 

BY 

DC 

DF 

CH 

AC 

BR 

DU 

DT 




O 

DZ 

BE 

DX 

AK 

CG 

BQ 

DR 





P 

BZ 

DE 

AZ 









Q 

DD 











R 

AQ 

DC 

DQ 

AL 

CE 

CF 

CV 

DS 




S 

AP 

AN 

AO 

CD 

DW 

DV 






T 

CB 

DB 

DP 

CC 

AD 

CY 

CW 

CX AE 




U 

CA 

AM 

BA 









V 

BB 











w 

CZ 











X 

BD 











Y 

DO 

DA 










Z 

BC 












TABLE 1.20 A Sample Table of Homophones 
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one-to-many mapping, but note that decryption is not, for none of the letter pairs in the pre- 
vious table appear more than once. (You may wish to verify this.) Thus, decryption always 
produces the correct message. 

Those decrypting would probably have the inverse mappings organized according to the 
ciphertext symbols, to aid in decryption. A listing of the inverse mappings of our sample 
homophone is shown in Table 1.21. 

Homophonic ciphers were very effective, and were used extensively in the past. Because 
of their heavy dependence on the language being used, and because modern powerful block 
ciphers are primarily independent of language, homophones are not commonly used today. 


1.20 COMBINATION SUBSTITUTION/TRANSPOSITION CIPHERS 

When substitution and transposition are used simultaneously, and especially when the respec- 
tive block sizes are different, the result can be a very powerful cipher. 

Example. The following is a cipher that uses both substitution and transposition. Three 
transformations will be involved. Suppose we use the ordinary alphabet, where substitu- 
tions for plaintext are first made according to Table 1.22. 

That is, 

A maps to AA (row A, column A) 

B maps to AB 
C maps to AC 


Q maps to DB 


Y maps to EE 
Z maps to DB. 

(Note that the letters Q and Z map to the same pair. When decryption is done this should not 
be a problem as Q and Z are very infrequent letters, and it should be easy to determine 
which letter was intended). Suppose we wish to encipher the following message: 

TAKE ME TO YOUR LEADER. 

Now, convert each letter to its letter pair equivalent. 

DE AA CA AE CC AE DE CE EE CE EA DC CB AE AA AD AE DC 

Take the second half of this text and place it under the first half. 

DE AA CA AE CC AE DE CE EE 
CE EA DC CB AE AA AD AE DC 
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TABLE 1.21 
Inverse 
Mappings 
for Sample 
Table of 
Homophones 









Letter 

AA 

E 

BA 

U 

CA 

U 

DA 

Y 

AB 

1 

BB 

V 

OB 

T 

DB 

T 

AC 

N 

BC 

Z 

00 

T 

DC 

R 

AD 

T 

BD 

X 

CD 

S 

DD 

Q 

AE 

T 

BE 

E 

CE 

R 

DE 

P 

AF 

E 

BE 

0 

OF 

R 

DF 

N 

AG 

E 

BG 

M 

CG 

0 

DG 

N 

AH 

A 

BH 

L 

OH 

N 

DH 

M 

Al 

D 

Bl 

1 

Cl 

L 

Dl 

K 

AJ 

L 

BJ 

G 

CJ 

1 

DJ 

1 

AK 

0 

BK 

0 

CK 

H 

DK 

E 

AL 

R 

BL 

E 

CL 

H 

DL 

C 

AM 

U 

BM 

E 

CM 

F 

DM 

D 

AN 

S 

BN 

E 

CN 

F 

DN 

G 

AO 

S 

BO 

E 

CO 

E 

DO 

Y 

AP 

S 

BP 

1 

CP 

A 

DP 

T 

AQ 

R 

BO 

0 

CO 

A 

DO 

R 

AR 

L 

BR 

N 

CR 

E 

DR 

0 

AS 

H 

BS 

A 

CS 

E 

DS 

R 

AT 

B 

BT 

A 

CT 

1 

DT 

N 

AU 

C 

BU 

A 

CU 

1 

DU 

N 

AV 

A 

BV 

D 

CV 

R 

DV 

S 

AW 

E 

BW 

F 

CW 

T 

DW 

S 

AX 

1 

BX 

J 

CX 

T 

DX 

0 

AY 

M 

BY 

N 

CY 

T 

DY 

D 

AZ 

P 

BZ 

P 

CZ 

W 

DZ 

0 
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Now, we do the second transformation. Form new pairs by associating each letter in the 
upper half with the letter below it; this yields 

DC EE AE AA CD AC AC EB CA CE AA EA DA ED CA EE ED EC. 

Now, using the same matrix given previously, map these pairs back to their single letter 
equivalents. This third transformation yields the final ciphertext (grouped into 5-letter 
blocks): 

RYEAN CCVKO AUPXK YXW 

(If we encounter a DB pair, it doesn’t matter if we map it back to a Q or a Z.) In order to 
decipher, an individual simply maps the ciphertext letters to their letter pair equivalents, 
perhaps writing them vertically to save time. 

DE AA CA AE CC AE DE CE EE 
CE EA DC CB AE AA AD AE DC 

She then regards the pairs horizontally, and regains the plaintext 

TAKEM ETOYO URLEA DER. 


This cipher is similar to a German wartime cipher (called the ADFGVX cipher) that per- 
plexed the allied cryptanalysts for quite some time. It was a surprisingly simple cipher, but 
it was only cracked after great expenditure of time and effort. 

This cipher, like the German ADFGVX cipher, uses a property called fractionation, which 
means a permutation on parts of a unit rather than among the units. In this cipher, this hap- 
pens when we split the letter pairs. A mapping from a single character initially formed these 
pairs, so it is akin to moving “half” of a plaintext character. This is what confounds attempts 
at breaking such ciphers. Not all substitution/transposition ciphers use this property. 


1. Write a Java program to simulate one of the ciphers in this chapter. Prompt the user to 
enter a message, and then return the corresponding ciphertext. Then decrypt the mes- 
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sage and show the user the regained plaintext. Use only uppercase English characters 
for your alphabet. 

2. The following text was produced using a Caesar cipher on a message consisting of only 
uppercase English letters. Determine the shift value and recover the plaintext. 

MXXFT QQHUX WMDYM QHQDO DQMFQ PNKYQ EUZOQ ARAXP AZMOO AGZFA RYKNQ 

SUZZU ZSXQE ESDQQ PTMFD QPMZP USZAD MZOQN ADZAR YKOAZ PGOFE BQQOT 

MZPFT AGSTF UZAIO AZRQE EABQZ XKMZP RGXXK 

3. The following text was produced using a simple Vigenere cipher. Use the Kaisiski 

method to determine probable key length, then do a frequency analysis to determine the 
keyword, and recover the plaintext. 


SSQYN 

ASXES 

RBFOR 

SOUYK 

VTAKO 

QVKSZ 

WOQSF 

VNOBB 

BRWKB 

BRGQS 

QSOSF 

WUYSX 

FHKYS 

YGODI 

ESUMD 

BUJOD 

FQGWN 

IBSDO 

HSPBW 

XBDIL 

MWQGP 

FZNVD 

DOSGO 

NEZSB 

JUSBQ 

FSXUW 

QOIOZ 

VLBIN 

TSBTP 

VBKUV 

OXKOJ 

KDFMZ 

UGUBB 

DVITS 

PKTHG 

ZPZCB 

FWZVZ 

YCLMW 

HUOSO 

VBQCE 

SGSSO 

BIWGS 

FDISG 

BZOBN 

DFMZU 

GUBBD 

VIORS 

NUHWY 

OBSGZ 

GFUTD 

FSOUS 

BWSFV 

BUAOO 

SNOTO 

ZPSSR 

FBBCY 

SGQRP 

HDKVZ 

OXEUO 

XTHCX 

FGQYU 

HVKOR 

PYPYG 

PBDDV 

US RMS 

MDDPU 

FKQVM 

MSQDB 

FGGBP 

GSXLS 

BXFHV 

OMSAO 

OHOBZ 

BIWGS 

FDISG 

BZOBN 

JHGKQ 

DZSDO 

HSPBG 

LPGHY 

OORNJ 

GGXXS 

GVFMF 

YTWBQ 

NWQRB 

SZSND 

ZONSB 

DUBUO 

MZWZU 

WQMVF 

JODFM 

ZUCUB 

BDVIH 

ESOOK 

WMIAO 

XOWBQ 

TAWDI 

FWMIO 

FNJBH 

OSBSD 

DFMZU 

CUBBD 

VICCG 

DPBON 

EWGYO 

KSGMS 

MCUOZ 

VUBUG 

XWZVJ 

OAMSM 

DDPUF 

KQVMK 

ORBOU 

KCBLG 

SMVFW 

DZBRO 

EWHSP 

BIZQS 

FCBRR 

VFFWF 

FFDBF 

BHSDS 

VKMZG 

DFDSX 

TCBXF 

OZMSM 

DDPBG 

WUQCX 

OSKIP 

FYZFF 

SXOWO 

VUFOZ 

QSKKE 

SOXEK 

OCIWB 

QUGBV 

BKFOO 

QSSOH 

FYEIQ 

DUGBD 

PQFIQ 

HGQSO 

DRZKW 

DIQCN 

JBUDI 

SCBZI 

DZFFG 

KERZO 

SWJOS 

DFOOH 

WMFVO 

VMKOI 

OSFZE 

HSBEW 

GKQDS 

KSWBQ 

DFMZU 

GUBBD 

VIDVS 

GUBID 

IWZVB 

DDBPT 

SGTWG 

XBZ 








4. The following text was produced using an auto-key Vigenere cipher. Attempt to recover 
the priming key, and hence the plaintext. 

TVWFP WHZD PZXLX ADBSS SSWBW KAABS DXZFG ANWTZ PWEKV AEOEA 

PIOBZ TALSV XUIFW AYEMU MFWAY EMWLT AMMNL HGAHX QILIG PPXFQ 

ZMEAD XUXGM RSJHZ XLXCW HKNEH YKZMB OEDXZ EGANW TZPWE MOGWO 

EAPKH HRTAL SVXUI EWAYE MUMFW AYEMW LTAMM NLHGA HXQIL IGPPX 

FSSSW BWKAA BS 

5. The following text was produced using a monoalphabetic substitution cipher, which 
maps the alphabet A . . . Z to a permutation of that alphabet. Using frequency analysis, 
attempt to recover the plaintext. 

ULNEA YTWPX TFNUR WBPHN BPEXE YRKXB PANXE YRKFX HNENW WPETE 

NUULN BKRFN YZNKU LNSXW LYSUL NWNPP ETULN GXKTW YSULN PXKYZ 

NKULN FXZNW UYIHY ZNKPE EULNN PKULP ETYZN KPEFU LNIKN PURKN 

WULPU BYZNP FYEAU LNAKY RETWY AYTIK NPUNT BPEXE LXWYD EXBPA 

NXEUL NXBPA NYSAY TLNIK NPUNT LXBBP FNPET SNBPE NLNIK NPUNT 

ULNBA YTGFN WWNTU LNBPE TWPXT UYULN BGNSK RXUSR EPETX EIKNP 
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WNXEE 

RBGNK 

SXFFU 

LNNPK 

ULPET 

WRGTR 

NXUKR 

FNYZN 

KULNS 

XWLYS 

ULNWN 

PPETU 

LNGXK 

TWYSU 

LNPXK 

PETYZ 

NKNZN 

KJFXZ 

XEAIK 

NPURK 

NULPU 

BYZNW 

YEULN 

AKYRE 

TULNE 

AYTWP 

XTXAX 

ZNJYR 

NZNKJ 

WNNTG 

NPKXE 

AMFPE 

UYEUL 

NSPIN 

YSULN 

DLYFN 

NPKUL 

PETNZ 

NKJUK 

NNULP 

ULPWS 

KRXUD 

XULWN 

NTXEX 

UULNJ 

DXFFG 

NJYRK 

WSYKS 

YYTPE 

TUYPF 

FULNG 

NPWUW 

YSULN 

NPKUL 

PETPF 

FULNG 

XKTWY 

SULNP 

XKPET 

PFFUL 

NIKNP 

URKNW 

ULPUB 

YZNYE 

ULNAK 

YRETN 

ZNKJU 

LXEAU 

LPULP 

WULNG 

KNPUL 

YSFXS 

NXEXU 

XAXZN 

NZNKJ 

AKNNE 

MFPEU 

SYKSY 

YTPET 

XUDPW 

WYAYT 

WPDPF 

FULPU 

LNLPT 

BPTNP 

ETXUD 

PWZNK 

JAYYT 

PETUL 

NKNDP 

WNZNE 

XEAPE 
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CHAPTER 2 

Large Integer Computing 


The vast majority of modem cryptography is handled by computers, which deal very 
efficiently with numbers, especially integers. Thus, not surprisingly, we find that much 
of modern cryptography is based on arithmetic with large integers. Of course, the default 
integer data type for computing languages is limited in size, so programmers are often faced 
with producing a new data type for integers of arbitrary size. Java, however, does provide 
a Biginteger class, and it is very useful in cryptography. We will discuss this class later in 
the book, but first it would be enlightening to try to produce a similar class of our own. 

So, we begin developing an Int class. It can be supplied with various methods that manip- 
ulate integers of arbitrary size; that is, it should be able to perform arithmetic with integers 
of hundreds or even thousands of decimal digits. Such integers are common in modern cryp- 
tography. 

The Int class data fields should be able to represent an integer of arbitrary size in some 
way, and also be able to represent some constructors that accept parameters to initialize the 
data fields. We could represent the integer as an array of ints, where each int is a digit. (See 
Figure 2. 1 .) We could also have a boolean data field that records the sign of the number, as 
in the following code: 

public class Int { 

//Records if Int negative /nonnegative 
boolean negative=false; 

//Digits are stored as decimal digits, 

//highest order digit first 
int[] digits; 

//Declare zero constant 

final public static Int ZERO=new Int ( ) ; 

//Records position of 0 (zero) in the 
//character set 

final private static int zeroPos= ' 0 ' ; 
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FIGURE 2.1 



So, for example, we would store the integer —000723894101 as in Figure 2.1. Note that 
we disregard any leading zeros. The exception to this will be when we represent zero; the 
array will have the single digit 0. 

2.1 CONSTRUCTORS 

For constructors, we should have the following: 

1. An Int constructor which can convert an atomic type int to an Int, 

2. One which can convert a string into an Int, 

3. One which copies an Int to a new Int, and 

4. The default constructor (one which accepts no parameters). This one will set the Int to 
zero. 

For the first constructor listed, we consider how this will be done. Suppose we want to 
convert the int n = —562 into an Int. We could set aside enough space for ten digits, since 
the largest int is around 2 billion and would require no more than ten decimal digits. 

We first take note of the sign of the number, and then set the boolean negative field to 
either true or false. We could then successively divide n by ten, keeping the remainder each 
time and placing it in the array starting at the rear. If we have any unfilled slots in the array 
when we are finished, we can move forward the elements at the rear. The code to accom- 
plish this follows: 

public Int (int n) { 

//Produce the array-an int can not have more than 10 decimal digits 
int[] temp=new int [10]; 

//zero is a special case 
if (n==0) { 

negat ive= false; 
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digits=new int[l]; 
digits [0] =0; 
return; 

} 

//Negative int n-set negative to true, take absolute value of n 
if (n<0) { 

negative=true; 
n=Math.abs (n) ; 

} 

int count=10; 

//Divide by 10 until nothing left 
while (n>0) { 

//Remainder is the count-th digit in the array 

temp [—count] =n%10 ; 

n/=10; 

} 

//Remove any leading zeros-make new array and copy 
digits=new int [temp. length-count] ; 

for (int i=0 ; i<digits . length; i++ ) digits [i] =temp [count+i] ; 

} 

The constructor which produces a copy of an Int from another Int, and the Int() con- 
structor which accepts no parameters, are easy to code. The Int() constructor should set the 
Int to zero. 

//This one produces an array of one int containing 0 
public Int ( ) { 

negative=false; 
digits=new int [1] ; 
digits [0] =0 ; 

} 

public Int (Int n) { 

negat ive=n . negat ive ; 
digits=new int [n. digits. length] ; 

for (int i=0 ; i<digits . length; i++ ) digits [i] =n. digits [i] ; 

} 

We now develop a constructor that produces Int objects from strings. We can arrange it 
so that it will parse strings to determine whether or not it can be interpreted as an Int, then 
place the characters (converted to ints) in the array. In case the string cannot be parsed as 
an Int, we can throw an IntException: 

public class IntException extends Exception { 
public IntException]) {super]);} 
public IntException (String s) {super(s);} 
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//This constructor converts a String to an Int . May throw an 
//Exception if the String cannot be converted to an Int. 
public Int (String s) throws IntException { 

//Place the string into an array of characters 
char [ ] teinp=s . trim ( ) . toCharArray ( ) ; 

//Parse the array. 

//Eirst character may be a sign 
Z/firstDigitLoc records index of first digit 
int f irstDigitLoc=0 ; 

//If sign symbol encountered, make negative Int, move to 
//next index 
if (temp [0] == ' - ' ) { 
negative=true; 
f irstDigitLoc++; 

//If "+" just move to next symbol 
} else if (temp[0]=='+' ) { 
f irstDigitLoc++; 

} 

int index=f irstDigitLoc; 

//Check if remaining characters are digits-record # leading 
//zeros 

boolean signif leant Digit Eound= false, ■ 

while ( index<temp . length&&Character . isDigit (temp [index] ) ) { 
if {! signif icantDigitEound) { 

//Skip any leading zeros 

if (temp [index] ==' 0 ' ) f irstDigitLoc++ ; 

else signif icantDigitFound=true ; 

} 

index++; 

} 

//Throw an exception if nondigit found 

if ( index<temp . length) throw new IntException ( "This is not a 
valid integer! " ) ; 

//If no significant digit found, this was a string of all zeros 
//Make the zero Int and return 
if (! signif icantDigitEound) { 
negat ive= false ; 
digits=new lnt[l]; 
digits [0] =0; 
return,■ 

} 
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//This parsed as an integer-store it, ignoring leading zeros 
char [ ] 

c=s.trim() . substring ( firstDigitLoc , s . length ( ) ) . toCharArray ( ) ; 
digits=new int [c . length] ; 

//Subtract zeroPos from the character-this gives the 
//corresponding int 

for (int i=0 ; i<c . length; i++ ) digits [i] = (int) c [i] -zeroPos; 

} 

For output purposes, we should be able to convert an Int object to a string and display 
it. Thus, as with all good classes in Java, we will supply a toStringO method. 

//Returns the Int as a String, mainly for output purposes 
public String toStringO { 

//Use a StringBuffer for efficiency 
StringBuffer answer=new StringBuf f er ( " " ) ; 

//Put a symbol in front if negative 
if (negative) answer . append ("-") ; 

//Append each digit to the StringBuffer and return it as a String 
for (int i=0 ; i<digits . length; i++ ) { 

answer. append (new Integer (digits [i] ) .toStringO ) ; 

} 

return new String (answer ) ; 

} 

Now that we have designed these constructors, we should test them to verify that they 
work. The class TestIntConstructors is a console program that simply asks the user to enter 
some integers and then converts them to Ints. It then turns them back to strings using the 
toStringO method and displays them. The code can be found at the book’s website, and an 
example run is shown in Figures 2.2(a)-(e). 


FIGURE 2.2 (a) 
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FIGURE 2.2 
(continued) 


(c) 





2.2 COMPARISON METHODS 

We should write methods that allow us to compare Int objects; that is, methods to tell us when 
they are equal, and if one is less than another. To determine whether Int x is less than Int y, 
for example, we could do the following; 

• If X and y are of different signs, the negative one is smaller. Otherwise, continue with the 
next step. 

• If the arrays representing x and y are different lengths, and if both are negative, then the 
larger array is the smaller number. Otherwise the smaller array represents the lesser of the 
two Ints. If both arrays are the same length, continue with the next step. 

• Proceed down the array until you find unequal digits. If both x and y are negative, the array 
containing the smaller digit is the largest. Otherwise, the array containing the larger digit 
represents the larger integer. If you find no unequal digits, neither integer is larger. 
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This is how we normally compare integers ourselves, and writing the lessThan(Int) 
method in Java isn’t terribly difficult. 

public boolean lessThan(lnt other) { 

//Start by assuming this is less than other 
boolean answer=false; 

//Both Ints are nonnegative here 
if ( Inegat ive&&! other .negative) { 

//If they are the same length, must compare the digits 
if (digits . length==other . digits . length) { 
int i=0; 

while (i<this . digits . length&&digits [i] ==other. digits [1] ) i++; 
//Each digit of this was less than each digit of other 
if ( i<this . digits . length) 

if (digits [i] <other. digits [i] ) 
answer=true; 

//this has smaller length than other-must be less than 
} else if (digits . length<other. digits . length) answer=true ; 

//If both Ints negative, do the reverse of the above comparisons 
} else if (negative&&other .negative) { 

if (digits . length==other . digits . length) { 
int i=0; 

while (i<this . digits . length&Scdigits [i] ==other. digits [1] ) i++; 
if ( i<this . digits . length) 

if (digits [i] >other. digits [i] ) 
answer=true; 

} else if (other. digits. length<digits. length) answer=true ; 

//If this is negative and other nonnegative, must be less than 
} else if {negative&&! other. negative) answer=true; 

//Otherwise, this is nonnegative and other negative 
//Return answer, which was initialized to false 
return answer; 


The code to determine whether or not two Ints are equal should now be very simple to 
write. 

public boolean equals (Int other) { 
boolean answer=true; 

//Check If same sign 

if (negative!=other. negative) answer=false; 

//Check if different lengths 

else if (digits. length !=other. digits. length) answer=false; 

//If same length and sign, compare each digit 
else for (int i=0 ; i<digits . length; i++) 
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//Any nonmatching digit sets answer to false 
if (digits [i] !=other. digits [i] ) answer=false; 
return answer; 

} 


We now demonstrate a test program for the lessThan(Int) and equals(Int) methods. The 
code can be found on the book’s website under the class name TestIntComparisonMethods. 
Screen shots of the test program are shown in Figure 2.3a-d. 






FIGURE 2.3 
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2.3 ARITHMETIC METHODS 

Of course, we must write methods to perform arithmetic with Int objects. We must be able 
to add, subtract, multiply, and divide. For convenience, we should add methods to increment 
and decrement Int objects. First, we consider the addition of two integers a and b: 

• If one is zero, return the other as the answer. Otherwise go on. 

• If a = —b, return zero. Otherwise go on. 

• If the digits are the same sign, add them beginning with the lowest digits, adding any car- 
ries in the subsequent addition. Otherwise go on. 

• If the digits are of different signs, this is a subtraction; either a — -b or b — -a. To do a 
subtraction, you must determine the larger of the two integers without regard to sign, then 
subtract the smaller integer from the larger. The sign of the answer is the same as that of 
the larger operand. 

We shouldn’t be too surprised at this addition/subtraction scheme, because it is the way 
humans (using base 10) normally do it. Notice that writing the add(Int) and subtract(Int) may 
entail using some of the methods already developed (like equals(Int) and lessThan(Int)), 
and may require writing a few more methods as well. For instance, in the following there 
is a method to negate an Int, and one to produce the absolute value. These are listed first. 

public Int absoluteValue ( ) { 

//Make a new Int by copying this Int 
Int answer=new Int (this); 

//Set negative to false 
answer . negat ive= f a 1 s e ; 
return answer; 

} 

public Int negative!) { 

Int answer=new Int (this); 

//Flip the negative value 
answer . negat ive= ! thi s . negat ive ; 
return answer; 

} 

The code which does most of the work is in the add(Int) method. First, it determines the 
sign of the two numbers; if they are the same, it is an addition problem, and the addDigits(Int) 
method is called. If they are not the same, it is a subtraction problem, and the subtractDig- 
its(Int) method is called. The subtractDigits(Int) method may call the borrow(Int) method, 
which allows us to borrow from digits to the left for subtraction. Of course, after the num- 
bers are added or subtracted, there may be leading zeros, which should be removed. 

public Int add (Int other) { 

Int ans; 
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//zero is a special case-nothing to do but return a copy of the 
//nonzero Int 

if (this . equals (ZERO) ) return new Int (other) ; 

else if (other. equals (ZERO) ) return new Int(this); 

else if (this . equals (other .negative 0) ) return new Int ( ) ; 

//If they are the same sign, perform the addition; add carries 
else if (negative==other .negative) { 
ans=addDigits (other) ; 
ans . negat ive=negat ive ; 

} 

//If they are of different signs, determine the larger 
// (magnitude-wise) and subtract the smailer from it. 

//Result has same sign as first (larger) operand, 
else if (this .absoluteValue (). lessThan (other . absoluteValue 0) ) { 
ans=other . subtractDigits (this) ; 
ans . negat ive=other . negat ive ; 

} else { 

ans=this . subtractDigits (other) ; 
ans . negat ive=thi s . negat ive ; 

} 

//Trim ieading zeros and return 
return ans . trimZeros ( ) ; 


public Int subtract (Int other) { 

//To subtract, we add the negative 
return this . add (other .negative ( ) ) ; 

} 

private Int addDigits (Int other) { 
int topl=this . digits . length-1 ; 
int top2=other . digits . length-1 ; 

int top3=Math. max (this . digits . length, other . digits . length) +1 ; 
Int answer =new Int ( ) ; 
answer .digits=new int[top3]; 
top3 — ; 

int carry=0; int sum=0; 
while (topl>=0&&top2>=0 ) { 

sum=thls. digits [topi] +other . digits [top2] +carry; 
if (sum>9) {sum%=10; carry=l;} else carry=0; 
answer .digits [top3] =sum; 
topi-- ; top2 — ; top3--; 

} 

if (topl<0&&top2<0 ) { 

answer .digits [0] =carry; 

} else if (topl<0) { 
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while (top2>=0) { 

sum=other .digits [top2] +carrY; 

if (sum>9) {sum%=10; carry=l;} else carrY=0; 

answer .digits [top3 ] =sum; 

top2 — ;top3--; 

} 

answer. digits [top3] =carrY; 

} else { 

while (topl>=0) { 

siim=this .digits [topi] +carrY; 

if (sum>9) {sum%=10; carry=l;} else carrY=0; 

answer .digits [top3 ] =sum; 

topi — ;top3--; 

} 

answer. digits [top3] =carrY; 

} 

return answer; 


private Int subtractDigits ( Int other) { 

Int answer=new Int { ) ; 

Int copy=new Int (this); 

answer. digits=new int [this .digits . length] ; 
int topl=this. digits. length-1; 
int top2=other . digits . length-1 ; 
while (top2>=0) { 

if (copy. digits [topi] <other. digits [top2 ] ) { 
borrow(copY, topl-1) ; 
copy. digits [topi] +=10; 

} 

answer. digits [topi] =copY. digits [topi] -other .digits [top2] ; 
topi--; top2--; 

} 

while (topl>=0) { 

answer .digits [topi] =copY. digits [topi] ; 
topi--; 

} 

return answer; 


//Method to "borrow" for subtraction 
private void borrow (Int n,int pos) { 
while (n. digits [pos] ==0) { 
n. digits [pos] =9; 
pos-- ; 
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n. digits [pos]— ; 

} 

//Method to chop off any leading zeros 
private Int trimZeros ( ) { 
int i ; 

//Look for first nonzero in the array 
for ( i=0 ; i<this . digits . length; i++) 
if (this. digits [i] !=0) 
break ; 

Int answer =new Int ( ) ; 

answer . negat ive=thi s . negat ive ; 

//Make a (possibly) smaller array for answer 
answer .digits=new int [this .digits . length-i] ; 

//Copy the nonzero digits over, and return answer 
for (int j=0;j<answer. digits. length; j++) 
answer .digits [ j ] =this .digits [ j+i] ; 
return answer; 

} 

Methods to multiply and divide Ints should also be written. We will develop the multi- 
ply(Int) method here. When we multiply two integers, we really just multiply by a single digit 
at a time, then perform a total of these individual products. For example, when we do 

527 
X 613 


we actually do these separate products: 

527 X 6 = 3162, 527 X 1 = 527, and 527 X 3 = 1581. 

We then add these products together, shifting some of the products to the left. That is, we 
append a zero to 527 X 1 since 1 is in the tens column, and we append two zeros to 526 X 
6 because 6 is in the hundreds column: This gives us 

527 
X 613 
1581 
+ 5270 

+ 316200 
323051 

Thus our multiplication problem actually becomes an addition problem, as long as we 
are able to multiply an integer by a single digit, and as long as we can append a certain 
number of zeros to our sub-products. Doing the latter in Java is very simple, as you can see 
from the following code: 
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private Int appendzeros ( int places) { 

//Make a new Int object 
Int result=new Int ( ) ; 

//If this equals 0, return 0; no need to append 
if (this . equals (ZERO) ) return result; 

//Make the resulting array larger 

result . digits=new int [this .digits . length+places] ; 

//Shift the digits into the new array 

for (int i=0 ; i<this . digits . length; i++) { 

result .digits [i] =this .digits [i] ; 

} 

return result; 

} 

Now, to multiply an Int by a single digit, we simply multiply each digit in the first operand 
by the selected digit from the second operand. If this product is greater than 9, we use the 
remainder of division hy 10 for the corresponding digit in the result (plus a possible carry 
from the previous multiplication), and we record the quotient when dividing by 10 as a 
carry. Take the following example: 

527 

X 3 

? ? ? 


We first take 7 X 3 = 21; 1 becomes the digit in the one’s column of the result, and 2 
becomes the carry. 

2 

527 
X 3 

? ? 1 

We then take 2X3 = 6, and add the previous carry 2, to get 8. This becomes the digit in 
the tens column of the result, and 0 becomes the carry. 

0 

527 

X 3 

?81 


Now we take 5X3 = 15, and add the previous carry 0. 5 becomes the digit in the hun- 
dreds column of the result, and 1 becomes the carry. 

1 

527 
X 3 


581 
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There are no more digits to multiply, but there is the possibility of one final carry, as is 
the case here. This becomes the thousands digit in the result. 

527 

X 3 

1581 

Of course, this is exactly how we’ve done multiplication by a single digit since elemen- 
tary school, but perhaps coding it seems not so elementary. Examine the following code 
carefully: 

//Method to multiply an Int by a single decimal digit 
//Called repeatedly by multiply (Int) method 
private Int multiply (int otherDlgit) { 

//Make a new Int for the answer 
Int result=new Int ( ) ; 

//If digit to multiply by is 0, return 0 
if (otherDigit==0 ) return result; 

//Make the answer array one longer than the first operand, 

//in case there is a carry 

result .digits=new int [this . digits . length+1] ; 
int carry=0; 
int tempinteger ; 
int i ; 

for ( i=this . digits . length-1 ; i>=0 ; i-- ) { 

//i+lth digit of result is the ith digit of the first operand 
//times the digit in the second operand. If this is more than 
//lO, we must keep only the least significant digit. 

//We also add any previous carries 
templnteger=this . digits [i] *otherDigit+carry ; 
result . digits [ i+1 ] =templnteger%10 ; 

//If the product is more than 10, we must set carry 
//for the next round 
car 2 ry=templnteger /10 ; 

} 

//Possibility of one last carry; do the final digit, 
result .digits [0] =carry; 
return result ; 

} 

Once we have the ability to append zeros and to multiply an Int by a single digit, multi- 
plying two Int objects simply becomes a matter of calculating these sub-products and adding 
them together. This part is actually easy with the two previous methods defined, as you can 
see in the following code: 

public Int multiply (Int other) { 
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//Initialize the answer to 0 
Int result=new Int ( ) ; 

//If either operand is 0, return 0 

if (this . equals (ZERO) I I other . equals (ZERO) ) return result; 

//Now, multiply the first operand by each digit in the 
//second operand, shifting left each answer by a power of ten 
//as we pass through the digits, adding each time to result, 
for (int i=0; i<other . digits . length; i++) { 

result =result . add (this .multiply (other . digits [i] ) 

. appendzeros (other .digits . length-l-i) ) ; 

} 

//If operands are same sign, result is positive 
//otherwise, the result is negative; 0 is already taken care of 
if ( this. negative==other. negative) result .negative=false; 
else result .negative=true; 

//Return the result 
return result . trimZeros ( ) ; 


Note that at the end of the multiply(Int) method we remove any leading zeros which may 
come about. Another consideration is the sign of each operand; If they are equal, the result 
is a nonnegative number; otherwise, the result is negative. Zero is treated as a special case. 

At this point, you should be able to write the divide(Int), and remainder(Int) methods, and 
will be asked to do so in the exercises. It would be prudent to write a divideAndRemain- 
der() method, since both the quotient and remainder would probably be generated at the 
same time. It could return an array of two Ints, with the quotient in slot 0, and the remain- 
der in slot 1 of the array. 

Division is the most costly (in terms of computer time) to run. For now, we only consider 
problems where the dividend and divisor are both positive. One of the primary problems is 
estimating the digits in the quotient. For example, consider the following division problem: 

6772190 H- 37658. 

Note that 3 (the leading digit of the divisor) goes into 6 (the leading digit of the dividend) 
twice, but the real quotient of the previous division is 179. The estimate of the first digit of 
the quotient is too high. A similar problem occurs in the following problem: 

19276 -I- 273. 

Note that the leading digit of the divisor cannot go into the leading digit of the dividend 
at all, and we must therefore attempt to take the divisor into the first two digits of the divi- 
dend. One way to avoid spending too much time estimating is to allow the quotient to have 
mixed positive and negative digits. Consider again 


19276 - 273. 
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Number the position of each digit: 

19276 273 

54321 321 

First, attempt to divide 1 by 2; if this fails, incorporate another digit. Here we divide 19 
by 2, which yields 9. Produce the first value for the quotient: 

90 . 

The number of zeros to add is clear when you note the position of the 9 in the dividend 
is 4, and the position of the 2 in the divisor is 3. Thus, we add 4 — 3 = 1 zero. Now, sub- 
tract 90-273 from 19276: 


19276 

-24570 

-5294 

Now, attempt to divide 2 into —5; this yields —2. Since the —5 is at position 4, and 2 is 
still at position 3, we add a zero to get 


-20 


We now modify the quotient value: 

90 + -20 = 70 . 

Now, subtract —20 • 273 from —5294; this gives us 

-5294 

--5460 

166 

Note now that the value remaining is smaller than the divisor 273; thus, we have 

quotient = 70, and 
remainder =166. 

Here is the whole process written out; the only difference between this and the way we 
normally do division is that negative quantities appear in the quotient: 

70 

^ 

273)19276 

-24570 
-5294 
— 5460 


166 
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Here is another example for you: 


80297 

-3 

300 

-10000 

90000 

123)9876543 

- 11070000 
-1193457 
— 1230000 
36543 
- 36900 
-357 
— 369 
12 


It is entirely possible that this process could yield a negative remainder, as in the following 
example (the absolute value of —542 is less than the divisor, 982). 

^ 

982) 9278 

- 9820 

-542 

When this happens, it is easy to fix: simply add the divisor to the negative remainder and 
subtract 1 from the quotient. In this case, this yields: 

quotient = 9 

remainder = 440. 

Now we consider what to do when either the dividend or divisor is negative. Note that 
if X is the positive dividend, y is the positive divisor, q is the quotient, and r is the remain- 
der, we can express their relationship to each other as: 

X = yq + r b > r> 0. 

If either x or y changes sign, we can maintain this relationship by inverting some signs. 
For example, we can perform calculations with all positive numbers, because: 


if y is negative, change the sign of q, since 
x = yq + r iff 
x= -y{-q) + r. 
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if X is negative, change the sign of both q and r, since 
x = yq + r iff 
-x=-iyq + r) iff 

-x = y{-q) - r, 

and if both x and y are negative, change the sign of r, since 
x = yq + r iff 
-x= -(-y(-q) + r) 

—X = —yq — r. 



With this in mind, writing a division method should be a snap. 

Naturally, the arithmetic methods must be tested. No programmer ever designs a class 
without writing a multitude of programs to wring all the bugs out of it. I’ve written a sim- 
ple applet to do this. I ask the user to enter an Int in a text field, and then they click an oper- 
ation, either or They then enter another Int and press the “=” button. This is 

the beginning of a calculator; you will be asked to produce a better one in the exercises. Some 
screen shots follow, and the applet can be found on the book’s website under the class name 
TestIntArithmeticMethodsApplet. (See Figure 2.4a-c.) 


FIGURE 2.4 (a) 



(b) 
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FIGURE 2.4 (c) 

(continued) 



Having an Int class is a very valuable tool, for it frees us from the boundaries placed on 
us by the primitive integer data types of most computer languages. A Java int, for example, 
is only 4 bytes, which is not nearly large enough for the numbers we will need to handle in 
this book. However, the cost of this freedom is decreased performance, and as a result large 
integer packages are usually very carefully designed and optimized to yield the maximum 
benefit. The Int class as we have designed it here is in fact rather poor, but it is neverthe- 
less a good introduction for someone who has never attempted the feat before. In the exer- 
cises we will discuss how to produce a much better Int class. 


THE JAVA BIGINTEGER CLASS 

Java provides a Biginteger class with the same functionality that we have given our Int 
class, and more. It is optimized for speed, and we will use it for further development. Rewrit- 
ing programs for the Int class and then comparing their performances to the Biginteger class 
will make interesting exercises, and you are invited to do this. 


CONSTRUCTORS 

A partial list of the Biginteger constructors and methods follows; 

• public Biginteger (byte B[]) throws NuirberFormatException 

This constructor translates a byte array containing the two’s-complement representation 
of a signed integer into a Biginteger (see Figure 2.5). The input array is assumed to be big- 
endian; that is, the most significant hyte is in the [0] position. The most significant bit of the 
most significant byte is the sign hit. The array must contain at least one hyte or a Number- 
FormatException will be thrown. 

• public Biginteger (int signum, byte magnitude!]) throws 

NuirberFormatExcept ion 
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This constructor translates the sign-magnitude representation of an integer into a Bigln- 
teger (see Figure 2.6). The integer is sent in as an array of bytes, and the sign is represented 
as an integer signum value: 

— 1 for negative, 

0 for zero, and 

1 for positive. 


The magnitude is represented as a big-endian byte array; that is, the most significant 
byte is in the [0] position. An invalid signum value or a 0 signum value coupled with a 
nonzero magnitude will result in a NumberFormatException. A zero length magnitude array 
is permissible and will result in a value of zero regardless of the given signum value. 


• public Biginteger (String val) throws NumberFormatException 


This translates a string containing an optional minus sign followed by a sequence of one 
or more decimal digits into a Biginteger. Any extraneous characters (including whitespace) 
will result in a NumberFormatException. 
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HxAMPLE. This constructor is very useful when entering large integers in decimal format from 
an input device. An example of how it may be called follows: 

Biginteger m = new Biginteger ("92387569832653429874569286898623498") ; 


• public Biginteger (String val, int radix) throws NumberFormatException 

This translates a string containing an optional minus sign followed by a sequence of one 
or more digits in the specified radix into a Biginteger. Any extraneous characters, includ- 
ing whitespace, or a radix outside the range 2 through 36, will result in a NumberFormat- 
Exception. 


-EXAMPLE. This constructor is similar to the previous one, and is likewise very useful when 
entering large integers in decimal format from an input device. However, with this con- 
structor we can specify the base of the number being entered. An example of creating a Big- 
integer object from the string representation of a number in base 2 follows: 

Biginteger m = new 

Biginteger ("101111100001010111010000001111101010011111101", 2) ; 


• public Biginteger (int bitLength, int certainty. Random rnd) 

This returns a randomly selected Biginteger with the specified bitLength that is proba- 
bly prime. The certainty parameter is a measure of the uncertainty that the caller is willing 
to tolerate: the probability that the number is prime will exceed 1 — (1/2)' where t = certainty. 
The execution time is proportional to the value of the certainty parameter. The given ran- 
dom number generator is used to select candidates to be tested for primality. This will throw 
an ArithmeticException if bitLength < 2. 


I£xAMPLE. This Biginteger constructor will prove to be the most useful of them all for our 
purposes, for it can generate random (probable) primes for use in cryptosystems. To gener- 
ate an integer 1024 bits long, which is prime with probability 0.875 = 1 — (0.5)^, we could 
make the following calls: 

SecureRandom sr=new SecureRandom ( ) ; 

Biginteger p=new Biginteger (1024, 3, sr) ; 

The SecureRandom class (seen here) is a subclass of Random; if used properly, it gen- 
erates random integers much more difficult to predict than those created by ordinary ran- 
dom number generators. 


public Biginteger (int numBits, Random rndSrc) throws 
IllegalArgumentException 
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This returns a random number uniformly distributed on the interval [0, — 1], 

assuming a fair source of random bits is provided in rndSrc. Note that this constructor always 
returns a nonnegative Biginteger. It throws an IllegalArgumentException if numBits < 0. 

HXAMPLE. This constructor just generates random positive integers without regard to pri- 
mality. Again, to ensure randomness which is hard to predict, SecureRandom objects should 
be used, as seen here: 

SecureRandom sr=new SecureRandom () ; 

Biginteger p=new Biginteger (1024, sr) ; 


2.6 METHODS 

This is the last of the constructors; the Biginteger methods follow: 

• public static Biginteger valueOf(long val) 

Returns a Biginteger with the specified value. This factory is provided in preference to 
a (long) constructor because it allows for reuse of frequently used Bigintegers, such as 0 and 
1, obviating the need for exported constants. 


HXAMPLE. (Note that this is a static method, and so is called by the class name): 
final Biginteger ONE=BigInteger .valueOf (1) ; 

The methods following perform basic arithmetic with Bigintegers. 

• public Biginteger add (Biginteger val) throws ArithmeticException 
Returns a Biginteger whose value is {this + val). 

• public Biginteger subtract (Biginteger val) 

Returns a Biginteger whose value is {this — val). 

• public Biginteger multiply (Biginteger val) 

Returns a Biginteger whose value is {this ■ val). 

• public Biginteger divide (Biginteger val) throws ArithmeticException 

Returns a Biginteger whose value is the quotient of {this / val). It throws an ArithmeticEx- 
ception if val = 0. 

• public Biginteger remainder (Biginteger val) throws 

ArithmeticException 

Returns a Biginteger whose value is the remainder of {this / val). It throws an Arith- 
meticException if val = 0. 
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IXAMPLE. Using these methods is elementary, as you can see from the following program 
fragment: 

Biginteger opl=new Biginteger ("3") ; 

Biginteger op2=new Biginteger ("2") ; 

Biginteger suin=opl . add (op2 ) ; 

Biginteger dif ference=opl . subtract (op2 ) ; 

Biginteger product=opl.multiplY(op2) ; 

Biginteger guotient=opl .divide (op2 ) ; 

Biginteger rem=opl .remainder (op2 ) ; 


• public Biginteger [] divideAndRemainder (Biginteger val) 
throws ArithmeticException 

Since most division algorithms produce the quotient and the remainder at the same time, 
a more efficient way of capturing both of these values is provided by the divide- 
AndRemainderO method. 

I£xAMPLE. The answers are returned in an array of two Bigintegers, as follows: 

Biginteger opl=new Biginteger ("9") ; 

Biginteger op2=new Biginteger ("2") ; 

Biginteger!] answers=new Biginteger [2] ; 
answers=opl . divideAndRemainder (op2 ) ; 

When this code completes, answers[0] contains the value 4 (as a Biginteger), and 
answers[l] contains 1. 


• public Biginteger pow(int exponent) throws ArithmeticException 

This method returns a Biginteger whose value is this" where e = exponent and throws an 
ArithmeticException if e < 0 (as the operation would yield a noninteger value). Note that e 
is an integer rather than a Biginteger 

jxAMPLE. Here is an example of how this method would be used (it calculates 2^^®): 

Biginteger base=new Biginteger ("2") ; 

Biginteger humungous=base.pow(256) ; 

Clearly, care should be used with this method, for it can easily generate gigantic num- 
hers which could exhaust the storage capacity of the computer. 


• public Biginteger gcd (Biginteger v) 

This method returns a Biginteger whose value is the greatest common divisor of \this\ and 
Ivl. It correctly returns (0, 0) as 0. 
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• public Biginteger abs ( ) 

This method returns a Biginteger whose value is the absolute value of this number. 

IxAMPLE. Here is how you would call the method: 

Biginteger test=new Biginteger ("-1") ; 
test=test . abs ( ) ; 


• public Biginteger negate ( ) 

This method returns a Biginteger whose value is (— 1 • this). 

• public int signumO 

This method returns the signum function of this number; that is, 

— 1 if this < 0, 

0 if this = 0, 

1 if this > 0. 

• public Biginteger mod (Biginteger m) 

This method returns a Biginteger whose value is this mod m. It throws an ArithmeticEx- 
ception if m < 0. This method may return a negative value if the dividend is negative. 

• public Biginteger modPow( Biginteger e, Biginteger m) 

This method returns a Biginteger whose value is {this‘s) mod m. If e = 1, the returned value 
is this mod m.\ie< 0, the returned value is the modular multiplicative inverse of this~‘^. This 
method throws an ArithmeticException if m < 0. 



Java Algorithm The modPow() method will be handy in the upcoming development 
of cryptography; b.modPow(y,n) basically returns the remainder of b'’ divided by n, where 
b, y, and n are all positive Bigintegers. Eor example, if b = 2, y = 3, and n = 5 were all 
declared as Bigintegers, then b.modPow(y,n) would return the remainder of 2^/5, or 3. Fig- 
ure 2.7 shows an applet which allows you to enter b, y, and n, and then returns and displays 
b.modPow(y,n). 

The code for this applet can be found on the book’s website under the class name 
TestPowApplet. 

• public Biginteger modinverse (Biginteger m) throws ArithmeticException 


This method returns the modular multiplicative inverse of this modulo m. (The expla- 
nation of “modular multiplicative inverse” will come later.) The method throws an Arith- 
meticException if m < 0 or if this has no multiplicative inverse mod m (that is, if this and 
m are not relatively prime). 


public Biginteger shiftLeft (int n) 
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FIGURE 2.7 


This method returns a Biginteger whose value is this « n\ that is, it shifts the binary rep- 
resentation of this n bits to the left. 

• public Biginteger shiftRight (int n) 

This method returns a Biginteger whose value is this » n\ that is, it shifts the binary rep- 
resentation of this n bits to the right. 

• public Biginteger and (Biginteger val) 

This method returns a Biginteger whose value is {this & val). It performs a bitwise AND 
on the two Bigintegers. 

SxAMPLE. If a and b are two Bigintegers, where 

a= I00I0Ilta3e2 

^=I0II0I0b,,e2 

then the following call 

Biginteger c = a.and(b) ; 

leaves c with the value 1001010|,ase2- 

This method returns a negative number iff both this and val are negative. 


• public Biginteger or (Biginteger val) 

This method returns a Biginteger whose value is (this I val). 


Example. This method performs a bitwise OR on the two operands. So if a and b are as 
defined previously; that is. 


a= lOOIOIl 
lOIIOIO 


base 2 
base 2 
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then the following call 

Biginteger c = a.or(b); 

leaves c with the value 1011011base2- 

This method returns a negative number iff either this or val is negative. 


• public Biginteger xor (Biginteger val) 

This method returns a Biginteger whose value is {this ^ val). 


I£xAMPLE. This method performs a bitwise exclusive OR on the two operands. So if a and 
b are as defined previously; that is, 


a = 1001011 
b= 1011010 


base 2 
base 2 


then the following call 


Biginteger c = a.xor(b); 
leaves c with the value 0010001i,ase2- 

This method returns a negative number iff exactly one of this and val are negative. 


• public Biginteger not ( ) 

This method returns a Biginteger whose value is this with each bit flipped. It returns a 
negative value iff this is nonnegative. 


Example. Thus, if we are using b as defined earlier; that is. 


b = 


101 1010b,, e 2, 


then the following call 
Biginteger c = b.notO; 
leaves c with the value 0100101base2- 

• public Biginteger andNot (Biginteger val) 

This method is equivalent to and(val.not()), and is provided as a convenience for mask- 
ing operations. This method returns a negative number iff this is negative and val is posi- 
tive. 

• public boolean testBit(int n) throws ArithmeticException 

This method returns true iff the designated bit is set, and throws an ArithmeticException 
if n < 0. 
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• public Biginteger setBit(int n) throws ArithmeticException 

This method returns a Biginteger whose value is equivalent to this number with the des- 
ignated bit set. It throws an ArithmeticException if n < 0. 

• public Biginteger clearBit(int n) throws ArithmeticException 

This method returns a Biginteger whose value is equivalent to this number with the des- 
ignated bit cleared. It throws an ArithmeticException if n < 0. 

• public Biginteger flipBit(int n) throws ArithmeticException 

This method returns a Biginteger whose value is equivalent to this number with the des- 
ignated bit flipped. It throws an ArithmeticException if « < 0. 

• public int getLowestSetBit ( ) 

This method returns the index of the rightmost (lowest-order) one bit in this number 
(that is, the number of zero bits to the right of the rightmost one bit). It returns — I if this 
number contains no one bits. 

• public int bitLengthO 

This method returns the number of bits in the minimal two’s-complement representation 
of this number, excluding a sign bit. Eor positive numbers, this is equivalent to the number 
of bits in the ordinary binary representation. 

• public int bitCount ( ) 

This method returns the number of bits in the two’s-complement representation of this 
number that differ from its sign bit. This method is useful when implementing bit- vector style 
sets atop Bigintegers. 

• public boolean isProbablePrime(int certainty) 

This method returns true if this Biginteger is probably prime, or false if it’s definitely com- 
posite. The certainty parameter is a measure of the uncertainty that the caller is willing to 
tolerate: the method returns true if the probability that this number is prime exceeds 1 — 1/2' 
where t = certainty. The execution time is proportional to the value of the certainty parameter. 
The test for primality here is the same one used in the constructor that generates random prob- 
able primes. 

• public int compareTo (Biginteger val) 

This method returns — 1, 0, or 1 as this number is less than, equal to, or greater than val. 
This method is provided in preference to individual methods for each of the six boolean 
comparison operators: 


!= 

< 
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a 


<= 

> 

>= 


IXAMPLE. Examples for performing these comparisons are any of the following: 

boolean b=x.compareTo(y)<0; 

b=x . compareTo (y) <=0 ; 

b=x . compareTo (y) >0 ; 

b=x . compareTo (y ) >=0 ; 

b=x . compareTo (y ) ==0 ; 

b=x . compareTo (y ) ! =0 ; 

• public boolean equals (Object x) 

This method returns true iff x is a Biginteger whose value is equal to this Biginteger. It 
is provided so that Bigintegers can be used as hash keys. 

• public Biginteger min (Biginteger val) 

This method returns the Biginteger whose value is the lesser of this and val. If the val- 
ues are equal, either may be returned. 

• public Biginteger max (Biginteger val) 

This method returns the Biginteger whose value is the greater of this and val. If the val- 
ues are equal, either may be returned. 

• public int hashCode ( ) 

This method computes a hash code for this object. 

• public String toString(int radix) 

This method returns the string representation of this number in the given radix. If the radix 
is outside the range from 2 through 36, it will default to 10. This representation is compat- 
ible with the (String, int) constructor. 


I^XAMPLE. An example of how this method may be called follows: 

Biginteger bigBoy=new Biginteger ("255") ; 

System. out .println("255 in binary is "+bigBoy.toString(2) ) ; 

The output is: 

255 in binary is 11111111 
• public String toStringO 

This method returns the string representation of this number, radix 10. The digit-to-char- 
acter mapping provided by Character. forDigit is used, and a minus sign is prepended if 
appropriate. This representation is compatible with the (String) constructor, and allows for 
string concatenation with Java’s + operator. 
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I£xAMPLE. An example of how this method may be called follows: 

Biginteger bigBoy=new Biginteger ("255") ; 

System. out. println(bigBoY.toString() ) ; 

However, it is often not necessary to convert Bigintegers to Strings before printing them, 
for we can use implicit calls to a toStringO method by concatenating a Biginteger to a String 
using the “+” concatenation operator: 

Biginteger bigBoy=new Biginteger ("255") ; 

System. out. println("This # is: "+bigBoy) ; 

The Biginteger will be displayed in base 10. 


• public byte[] toByteArray ( ) 

This method converts a Biginteger into a raw array of bytes. In effect, it returns the 
two’s-complement binary representation of this number in the array, which is big-endian 
(that is, the most significant byte is in the [0] position). The array contains the minimum num- 
ber of bytes required to represent the number. For example, suppose h is a Biginteger hav- 
ing the value 987654321=111010110111100110100010110001base2- (You may wish to verify 
that this is actually the base 2 representation of 987654321.) Then we make the following 
call: 

byte[] a=b.toByteArray( ) ; 

This will produce a byteArray of 4 bytes, assign it to a, and the most significant digits 
of the Biginteger b will be first. That is, 

a[0]=001 11010, 

a[l]=11011110, 

a[2]=01 101000, and 

a[3]=10110001. 

This representation is compatible with the (byte[]) constructor. 

• public int intValueO 

This method converts this number to an int. 

• public long longValue ( ) 

This method converts this number to a long. 

• public float f loatvalue ( ) 

This method converts this number to a float. It is similar to the double-to-float narrow- 
ing primitive conversion defined in The Java Language Specification: If the number has 
too great a magnitude to represent as a float, it will be converted to infinity or negative 
infinity as appropriate. 
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• public double doubleValue ( ) 

This method converts this number to a double. It is similar to the double-to-float nar- 
rowing primitive conversion defined in The Java Language Specification: If the number 
has too great a magnitude to represent as a double, it will be converted to infinity or nega- 
tive infinity as appropriate. 


EXERCISES 

1. Write the following Java methods for the Int class: 

public Int[] divideAndRemainder ( Int other); 
public Int divide (Int other); 
public Int remainder { Int other); 

The first returns both the quotient and remainder of one Int object divided by another. 
(This is more efficient since you will probably compute both quantities at the same 
time anyway.) Return these two values as an array of two Ints; answer[0] could contain 
the quotient, and answer[l] could contain the remainder. The second and third meth- 
ods return the quotient and the remainder of Int division, respectively. 

2. Design a graphical calculator for Int objects, with buttons to perform addition, multi- 
plication, subtraction, and division. If desired, write methods to perform other opera- 
tions with Ints, and supply buttons for these on the calculator. Establish precedence 
among your operators, and include parentheses buttons to override precedence rules. 
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3. There are many ways to implement a class to perform arithmetic with arbitrarily large 
integers. The method presented in this chapter is perhaps the most intuitive for us, 
because it uses decimal arithmetic, and because the algorithms closely resemble what 
we do as humans. However, a computer does arithmetic in a different way than us. First 
of all, numbers are represented as a series of switches that are either on or off, or in 
binary. 

To develop a large integer class that executes more efficiently, we want to mimic as 
closely as possible the way a binary computer does arithmetic. While we are at it, we 
might want to make the number representation more flexible, and use linked lists to hold 
the data instead of arrays. For example, suppose we use a doubly-linked list with a 
head and tail pointer. It will point at a series of ints (or bytes, or shorts, or longs), where 
each int represents part of the binary integer. (See the figure.) 



To perform addition of integers with the same sign, simply add them as binary integers 
the same way the computer does. If there is a carry in the high order digit of each int, carry 
it over to the next int. To subtract, simply add the negative, then store all negative num- 
bers in two’s-complement form, the same way a computer normally does. The two’s- 
complement of a binary integer is where each bit is inverted, and then you add 1 . For 
example, the byte-sized two’s complement of 9 = 00001001|,ase2 is 11110111base2- Thus, 
if you wish to compute 5 minus 9 in binary, this is 

00000101 
- 00001001 

To do a subtraction, form the two’s-complement of the second integer, and add them. 

00000101 
-H 11110111 
11111100 

This answer is the two’s-complement representation of —4 (you can verify this by sub- 
tracting 1 then inverting the bits), and so the answer to 5 minus 9 is —4, as it should be. 
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Multiplication and division in binary is particularly easy and fast to implement, 
since it involves mostly just shifting to the right or left, and adding. For example, to mul- 
tiply 5 by 9 we take 


00000101 

X 00001001 

Which we note is simply OOOOOlOlbase 2 plus OOlOlOOObase 2 (which is OOOOOlOlbase 2 
shifted to the left 3 places). This gives us 00101 lOlbase 2> or 45 in decimal, which is 
correct. 

Now, with all of this in mind, rewrite the Int class. 

4. If you prefer using base 10 for the Int() class (it’s much easier to convert these to and 
from strings, for example), you may consider using base 1 billion. A number in this 
base can be written as 

a„ • 1000000000" h- a„_i • lOOOOOOOOO""' + ... + ai- lOOOOOOOOO' h- Gq • 1000000000°. 

where each a, is an integer between 0 and 999999999. 

The array (or list) of ints which hold the “digits” can store a number in this range. 
The size of this data structure will clearly be much smaller. Conversion between base 
1 billion and base 10 is easy because 1 billion = 10°. You may also consider using an 
array (or list) of type long, using as your base the maximum power of 10 which does 
not exceed the maximum positive long value 2°^ — 1 . 
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The Integers 


In order to understand most of modern cryptography, it is necessary to understand 
some number theory. We begin with the divisibility properties of integers. 

Definition 

If a and b are integers with a 0, we say that a divides b if there is an integer c such 
that b = ac. If a divides b, we also say that a is a divisor, or factor, of b, and we write 
a\b. We also write a -f b if a does not divide b. 

For example, 3127, since 27 = 3 • 9. Likewise, 5 -f 32, because there exists no inte- 
ger c such that 32 = 5c. 


Using this test, we can find and list the divisors of all nonzero integers. For example, the 
divisors of 9 are ±1, ±3, and ±9. The factors of 20 are ± 1, ±2, ±4, ±5, ± 10, and ±20. 
Now, we prove some properties of divisibility. 

PROPOSITION 1 If X, y, and Z are integers with x\y and y\z, then viz. 

Proof. Say that integer x divides integer y, and y divides integer z. Then 3 (there exits) 
an integer c such that y = cx, and 3 an integer d such that z = dy. Now, note that z = dy = 
d(cx) = (dc)x, and that dc is likewise an integer. Thus, x divides z- • 

Example. Note that 319, and that 9172. By the previous theorem, this implies that 3 also 
^ divides 72. 


The next theorem is as easy to prove as the previous, and the proof is left to you. 
PROPOSITION 2 Ifc,v,y, m, and n are integers such that clx and cly, then cl(mv + ny). 
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This proposition tells us that if an integer divides two others, it also divides any integer 
linear combination of the other two. 


HXAMPLE. 


a 


+ 6 - 8 . 


Note that 4120 and 418. By the previous theorem then, 4 also divides 128 = 4-20 


The following proposition is very useful in that it establishes that any integer can be 
expressed as a multiple of any other positive integer b, plus some remainder, where that 
remainder is nonnegative and less than b. It is called the division algorithm. 


3.1 THE DIVISION ALGORITHM 

PROPOSITION 3 (The Division Algorithm.) If y and b are integers such that b>0, then 
3 unique integers q and r such that Q< r < b and y = bq + r. This q is called the quotient, r 
the remainder, b the divisor, and y the dividend. 

Proof. Let S be the set of all integers of the form y — bk where k is an integer. Further, 
let T be the set of all nonnegative members of S. T is not the empty set, since y — bk> 0 
whenever k < y/b. So, T must have a smallest element; choose q to be the value of k so that 
y — is the smallest member of T. Now, set r = y — bq. We will show that this choice of 
q and r are exactly those desired. First, we know that r > 0, (since y — bq is nonnegative) 
and r <b, since if r > h we would have r>r — b = y — bq — b = y — b{q + 1) > 0, which 
says we have a nonnegative integer smaller than r in T, a contradiction. Thus, Q< r < b. 

We have shown that r and q exist; now we must show that they are unique. Suppose we 
have two equations 

y = bq, + r, (*) 
y = bqj + rj 

with 0 < ri < b and 0 < r 2 < b. Subtract the second from the first to get 0 = b{qi — ^ 2 ) + 
(d ~ or ^2 ~ D = “ Gi)- Thus, b\{r 2 — rj). Since 0< ri< b and 0 < ^2 < h we get 

— h < r 2 — ri<b. Because 0 is the only multiple of b between —b and b (not including —b 
and b), b divides r 2 — Ti only if ^2 — rj = 0, or when = ^ 2 . Replacing r 2 with rj in the equa- 
tions in (*), we easily establish that qi = q 2 , and thus q and r are indeed unique. ■ 


I£xAMPLES. We wish to find q and r as defined in the division algorithm for all of the fol- 
lowing equations: 

• ()5 = 'iq + r. Divide 65 by 3 to get q = 21, r = 2. 

• — 21 = 5^ H- r. If we simply divide —21 by 5, we get a quotient of —4, and a remainder 
of — 1. To place the remainder in the proper range, simply add 5 to it, while subtracting 
1 from the quotient. This yields q = —5, r = 4. This is a simple way of calculating q and 
r when the dividend is negative. 
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Prime numbers play a huge role in number theory, and in modern cryptography as well. 
Thus, the definition of a prime number follows. 


Definition 

A prime number, or a prime, is an integer greater than 1 divisible by no positive inte- 
gers other than itself and 1 . A positive integer greater than 1 that is not prime is said to 
be composite. 


lixAMPLES. All of the following integers are primes: 2, 7, 23, 29, and 163. None of these num- 
bers has positive factors except themselves and 1 . On the other hand, the following num- 
bers are composite: 4 = 2X2, 100 = 2X2X5X5, and 39 = 3 X 13. You should be 
careful to note, however, that many integers are neither prime nor composite, as all primes 
and composite numbers are positive integers greater than 1. For example, the following 
integers are neither prime nor composite: 1,0, —21, and —5. 


It is important to establish that every positive integer greater than 1 has a prime divisor, 
for it helps us establish that there are infinitely many primes. It also helps us determine the 
whereabouts of a prime factor for composite numbers. 

PROPOSITION 4 Every positive integer greater than I has a prime divisor. 

Proof. First, assume there is a positive integer greater than 1 having no prime divisors. 
Thus, the set of all such integers is not empty, and so has a least element, say m. Since m 
has no prime divisors and m\m, m is not prime. So m is composite, and we write m = bc where 
\ <b <m and 1 < c < m. Now, since b <m, b must have a prime divisor, say p, since m is 
the least nonnegative integer having no prime divisors. But p then also divides m by Propo- 
sition 1, and so m has a prime divisor, a contradiction. ■ 

PROPOSITION 5 There are infinitely many primes. 

Proof. Take the integer z = n\+l, where n > 1. Proposition 4 says z has a prime divisor, 
say p. Suppose p<n. Then we would have pin!. This is so since 

n\=n{n - l)(n - 2) ... 3 • 2 • 1, 

and if p < n, it must divide one of the numbers in the sequence. But then, by Proposition 2, 
we would have pl(z — n!) = 1, an impossibility. So the prime p must be greater than n, and 
since n is completely arbitrary, we have found a prime larger than n for any integer n. This 
establishes that there must be infinitely many primes. ■ 


It is important for us to establish that there are infinitely many primes, as we must be able 
to freely select primes for use in cryptographic applications. The primes we choose are usu- 
ally kept secret, so there must be enough primes scattered about to make finding the primes 
you choose very difficult for an attacker. 
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PROPOSITION 6 If n is composite, then n has a prime factor not exceeding the square 
root of n. 

Proof. Suppose n is the product of integers b and c, and say I < b < c < n. Note that b is 
no greater than ause if it were, c would also be greater than Vn, implying that be > Vn 

• Vn = n, a contradiction. Proposition 4 says that b must have a prime divisor, which must 
also divide n by Proposition 1. Thus, a prime divisor smaller than Vn exists. ■ 


The previous result tells us that if we wish to search sequentially for a prime factor of some 
number n, we need not exceed its square root. This can reduce our workload considerably. For 
example, if we wish to know whether or no t 101 is prime, we need only search for factors up 
to 10, which is the largest integer < V 101. We check for factors in Table 3.1. 

We conclude, therefore, that 101 is prime. Proposition 6 proves it is not necessary to 
search for factors of 101 greater than 10, for one such factor, if it exists, must be < 10. 

This sequential method for determining whether or not numbers are prime is known as 
trial division by small primes. 

Say we want to find a prime factor of an integer consisting of 500 decimal digits. (This 
is typical in modern cryptography.) Then the square root of that number would still be about 
250 decimal digits. Asking the computer to search each number in a sequential fashion up 
to the square root would take an enormous amount of time. Thus, trial division is limited to 
integers having small prime factors. If we want to factor large integers, we must find bet- 
ter methods of factoring. 

We can speed up trial division by noting that it isn’t necessary to divide by every inte- 
ger not exceeding the square root of n, but only those integers which are prime. If we make 
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a table of all integers from 2 to n, we can begin by successively crossing out all multiples 
of 2, then multiples of 3, then multiples of 5, and so on. In this way, we can determine all 
primes less than or equal to any integer; they are the numbers which have not been crossed 
out. 

For instance, we make a list of all the integers from 2 to 99, and begin by crossing out 
all multiples of 2 in the list, then all multiples of 3, then the multiples of 5 (because 4 and 
all of its multiples are already crossed out), and so on until we reach 9, the largest integer 
< = 9.95. Its multiples have already been crossed out; thus the numbers in the list 

which have not been crossed out are the primes < 99. See Table 3.2. Integers which are mul- 
tiples of 2, 3, 5, or 7 have been removed. 

This method of identifying primes by crossing out multiples is known as the Sieve of 
Eratosthenes. Because of great storage requirements, it is not very efficient for determining 
large primes. 

Java Algorithm We can write a Java program which sequentially searches up to Vn 
for the smallest prime factor of n, then returns it if found. Otherwise, we conclude n is 
prime, and return n. Since trial division would perform poorly for large integers, we will just 
write it for primitive ints. 

The main method prompts the user to enter an integer n greater than 1 ; it then calls the 
sieveFactorO method, which will return the first prime divisor it finds, or n itself if n is 
prime. 
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import j avax . swing . * ; 

public class TestSieveFactor { 

public static void main ( String [] args) { 
boolean idiot ; 
do { 

idiot=false; 
try { 

int n=new Integer (JOptionPane . showInputDialog 

("Enter an integer > 1 : " ) ) . intValue ( ) ; 

if (n<=l) { 

idiot=true; 

JOptionPane . showMessageDialog (null , "Invalid integer entered!") ; 

} else { 

int d=sieveFactor (n) ; 

if {d==n) JOptionPane. showMessageDialog(null,n+" is prime."); 
else JOptionPane. showMessageDialog (null, d+" divides "+n+"."); 

} 

} catch (NumberFormatException e) { 
idiot=true; 

JOptionPane . showMessageDialog (null , e . toString ( ) ) ; 

} 

} while (idiot) ; 

System. exit (0) ; 

} 

private static int sieveFactor ( int n) { 
int divisor; boolean prime=true; 
for (divisor=2 ;divisor<=Math. sqrt (n) ;divisor++) 
if (n%divisor==0) {prime=false; break;} 
return primePn: divisor; 

} 

} 

If we ran the previous program with some test data, we get the results shown in Figure 
3.1a-h. 

The ability to factor efficiently is at the heart of breaking many cryptosystems. We thus 
begin the study of finding divisors, or factors. In particular, we want to find the greatest 
common divisor of two integers. 


Definition 

The greatest common divisor of two integers x and y, where at least one is nonzero, is 
the largest integer that divides both x and y. We also call this the gcd of x and y, and write 
it as (x, y). We define the greatest common divisor of 0 and 0 as 0; that is, (0, 0) = 0. 




Figure 3.1 
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Figure 3.1 





"Example. The divisors of 30 are ±1, ±2, ±3, ±5, ±6, ± 10, ± 15, and ±30. The divisors 
of 18 are ±1, ±2, ±3, ±6, ±9, ±18. The largest integer in both lists is 6, so the gcd of 30 
^ and 18 is 6. 


Definition 

Two integers are said to be relatively prime if their gcd is 1 . 


_£xAMPLES. The following pairs of integers are relatively prime. (Verify.) 

a. 8 and 9 

b. 23 and 44 

c. 27 and 55 
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Note that the sign of the integers is not important when computing the gcd. This is easy 
to see if one simply notices that the divisors of n are exactly the same as the divisors of —n. 
So, all of the following are equal: 

(x, y) = (x, -y) = (-X, y) = (-x, -y) = (Ixl, lyl) 

Thus, we need only concern ourselves with the gcd of positive integers. 


HXAMPLE. (18, -54) = (18, 54) = 9. 


PROPOSITION 7 Let x, y, and z be integers with (x, y) = d. Then 

a. (x/fif, y/d) = 1 

b. (x + cy, y) = (x, y). 

c. An integer c divides both x and y if and only if cl(x, y). 


Proof. (Part a.) First, suppose there is some integer n that divides both xld and yid. Then 
3 integers j and k such that xld = jn and yId = kn or, alternatively, x = djn and y = dkn. From 
this we establish that dn is a common divisor of both x and y. But d is the greatest common 
divisor of both x and y, so dn < d, implying that n = 1 . So the gcd of xld and yid is 1 . 

(Part b.) Let x, c, and y be integers, and suppose e is a common divisor of x and y. By 
Proposition 2 we know el(x + cy), so e divides both x + cy and y. On the other hand, sup- 
pose/is a common divisor of x + cy and y. Then/also divides (x + cy) — cy = x by Propo- 
sition 2. So / is then a common divisor of x and y. Consequently, we conclude that the 
common divisors of x and y are identical to the common divisors of x H- cy and y, and so they 
share the same greatest common divisor. 

(Part c.) The “if ” part is obvious, since (x, y) divides both x and y, and because if we have 
cl(x, y) we must have clx and cly by proposition 1. This tells us that the divisors of (x, y) is 
a subset of the common divisors of x and y. We can represent this with a Venn diagram, as 
shown in Figure 3.2. 

Now we write x and y as multiples of their gcd; that is, 

X = (x, y)e, and y = (x, y)f. 

and note ie,f)= 1 by part (a). Thus, no common divisor of x and y (except 1) can simulta- 
neously divide e and/, and so any common divisor of x and y must also divide (x, y). 

Thus, the set of divisors of (x, y) and the set of common divisors of x and y are the same 
set. (See Figure 3.3.) ■ 


Examples. To satisfy our cynical natures, weTl test the previous proposition with some data. 
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• Note that (24, 42) = 6, and that if we divide both 24 and 42 by 6, we can verify that (24/6, 
42/6) = (4, 7) = 1. 

• Take the same two integers, 24 and 42. Compute = 24 + (— 3)(42) = — 102, and note that 
(-102, 42) = 6 = (24, 42). 


Definition 

If X and y are integers, we will say a linear combination of x and y is a sum of the form 
mx + ny where m and n are integers. 


3.1 The Division Algorithm 
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PROPOSITION 8 The gcd of integers x and y, not both zero, is the least positive inte- 
ger that is a linear combination of x and y. 

Proof. Suppose d is the least positive integer that is a linear combination of x and y. We 
know that the set of such integers must be nonempty, as at least one of the following linear 
combinations must be positive: 


x + 0 -y, 

—x + Q-y, 

Q ■ x + y, or 
0-x-y. 

So, a least such element in this set, say d, exists. We must first show dis a divisor of both 
X and y. We have d = mx + ny where m and n are integers, and by the division algorithm we 
can obtain 

x = dq + r where 0< r <d. 

From this equation, and because d = mx + ny, we can derive 

r = x — dq = x — q(mx + ny) = (1 — qm)x — qny. 

So we can write r also as a linear combination of x and y. Now, by construction, r is non- 
negative, strictly less than d, and d is the least positive integer which may be written as a 
linear combination of x and y. So r must be zero. This means that d divides x, which is what 
we want to show. Similarly, we can show that d\y, and that d is therefore a common divisor 
of X and y, as desired. 

Now, it remains to be shown that d is the gcd of x and y. Suppose c is a common divisor 
of X and y. Then, since d = mx + ny, c divides d by proposition 2. Hence, because c is arbi- 
trary, d must be the greatest common divisor of x and y. ■ 


We now turn our attention to common divisors of more than two integers. 


Definition 

The greatest common divisor of a set of integers Oi, < 32 , ... , a„, not all zero, is the 
largest divisor of all the integers in the set. We write this as (a 1 , < 32 , ... , a„). 


Example. The greatest common divisor of 20, 30, and 15 is 5. 

PROPOSITION 9 («!, fl 2 > < 33 , . ■ ■ , a„) = ((«!, 02 ), < 33 , ... , a,,). 

Proof. Note that any common divisor of the n integers in the list ai, a 2 , ■ ■ ■ , a„ is, in par- 
ticular, a common divisor of the first two, Oi and a 2 - This divisor then also divides the gcd 
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of fli and fl 2 by proposition 7 (part c). Now consider an integer that divides the last n — 2 
integers in the list, and that also divides the gcd of ai and 02 - This divisor must then also sep- 
arately divide both ai and 02 , and so then is a common divisor of all the n integers. We now 
see that the common divisors of all the n integers are exactly the same as the common divi- 
sors of the last n — 2 integers taken with the gcd of the first two. Hence, they also have the 
same greatest common divisor. ■ 


lixAMPLE. The previous proposition is very handy in that it turns a large problem into a 
small one. It says, for example, that we can compute the gcd of 28, 126, 21, and 10 in the 
following way: 


(28, 126, 21, 10) 

= ((28, 126), 21, 10) 

= (14,21, 10) 

= ((14,21), 10) 

= (7, 10) 

= 1 . 

Note that the previous numbers, when taken together, have a gcd of 1. However, if we 
examine each pair from the list, we see that some pairs are not relatively prime. (For exam- 
ple, (28, 21) = 7.) This motivates us to make a distinction between these two situations, and 
thus make a definition. 


Definition 

We say that the integers Oi, 02 , . . . , a„ are mutually relatively prime if the gcd of the 
set of integers is 1 . We say the integers are pairwise relatively prime if each pair of 
integers taken from the set are relatively prime. 


ISxAMPLE. The numbers 18, 9, and 25 are mutually relatively prime. The largest divisor all 
have in common is 1. But, they are not pairwise relatively prime because (18, 9) = 9. 


Until now, we have presented a lot of propositions about the gcd, but no really good way 
of finding it has been presented. We could make a list of all the divisors of our numbers, then 
choose the largest divisor that they have in common, but this is not really efficient. The 
next proposition, which you should be able to prove, leads us to the Euclidean algorithm, a 
lightning-fast way of finding the gcd. 

PROPOSITION 10 If c and r/ are integers and c = dq + r where q and r are integers, then 
(c, d) = (d, r). 
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The previous proposition provides us with a particularly fast way of finding the gcd of 
two integers. We will calculate the gcd of 132 and 55. If we successively apply the division 
algorithm to obtain 

132 = 2-55 + 22 
55 =2-22+ 11 
22 = 2 - 11 + 0 , 

the preceding proposition then tells us that 

(132, 55) = (55, 22) = (22, 11) = (11, 0) = 11. 

Note that we wisely chose q and r as the same q and r obtained by the division algorithm. 
The remainders are all positive, and are getting smaller after each successive division. The 
remainder must eventually reach 0, and the previous remainder must be the gcd. The proof 
that this always works follows. 

.2 THE EUCLIDEAN ALGORITHM 

PROPOSITION 1 1 (The Euclidean Algorithm.) Let Tq = Jt and rj = y be integers such that 
X > y > 0. If the division algorithm is successively applied to obtain r, = rj+^qj+i + rj +2 with 
0 < r ,-+2 < Xj+i fory = 0, 1, 2, . . . , n — 2 and /■„+! = 0, then (x, y) = r„. 

Proof. This follows almost immediately using proposition 10. Let = x, rj = y, where x 
> y > 0. We successively apply the division algorithm to obtain 

''o = + ^2 with 0 < ^2 < rj 

''i = '' 2^2 + ^3 with 0 < ^3 < r 2 


L-2 = + L 


This process must terminate. The remainders form a strictly decreasing sequence of pos- 
itive integers bounded below by zero. This sequence can certainly have no more than x 
terms: 


ro > ri > ^2 > . . . > r„^i > r„ > r„+i = 0. 

We must eventually have = 0 for some n, where r„ is the last nonzero remainder. 
Proposition 10 then tells us that 

(x, y) = (ro, ri) = (rj, r 2 ) = . . . = (r„.i, rj = (r„, r„+i) = (r„, 0) = r„ 
and we have the desired result. ■ 

l^XAMPLE. Use the Euclidean algorithm to find the gcd of 252 and 198. Successively apply 
the division algorithm to obtain 


78 Chapter 3 The Integers 


252 = 1 • 198 + 54 
198 = 3 • 54 + 36 
54 = 1 • 36 + 18 
36 = 2-18 + 0 

The last nonzero remainder is 18, so (252, 198) = 18. We can write this process out very 
quickly as 

(252, 198) = (198, 54) = (54, 36) = (36, 18) = (18, 0) = 18. 

Java Algorithm Once we know the Euclidean algorithm, writing a method to compute 
the gcd should be simple. Though the Biglnteger class supplies a method to compute the gcd 
of two Biglntegers, it may be interesting to write our own. Here, we use a static recursive 
method. Recursion is natural for this algorithm, because if we have positive ints m and n in 
Java such that m> n, proposition 10 says that {m, n) = (n,m% n). This makes an easy sub- 
stitution in a recursive call. The recursion is not particularly wasteful in this case since the 
Euclidean algorithm arrives at the gcd so quickly. The following test program simply asks 
the user to enter two integers, then computes and displays their gcd (see Eigures 3.4a-c). 

import java.io.*; 
import j avax . swing . * ; 
import java. math. Biglnteger ; 
public class TestGCD { 

public static void main (String [ ] args) { 

Biglnteger i=new Biglnteger (JOptionPane . showInputDialog ( "Enter an integer: ")); 
Biglnteger j=new Biglnteger (JOptionPane . showInputDialog 

("Enter another integer: ")); 

JOptionPane . showMessageDialog (null , "The gcd of "+i+" and "+j+" is "+gcd(i,j)); 
System. exit (0) ; 

} 

static Biglnteger ZERO=new Biglnteger ( "0 ") ; 

//Compute the gcd recursively using the Euclidean algorithm 

private static Biglnteger gcd (Biglnteger first, Biglnteger second) { 

//Make sure both are nonnegative 
f irst=f irst . abs ( ) ; 
second=second. abs ( ) ; 

//Call the recursive method 

return recurseCCD (first , second) ; 

} 

private static Biglnteger recurseCCD (Biglnteger x, Biglnteger y) { 
if (y. equals (ZERO) ) return x; 
else return recurseCCD (y,x.mod{y) ) ; 

} 


} 
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Figure 3.4 



Enter an integer: 

° 18237961 



OK 


Cancel 





There is a test applet for computing greatest common divisors on the book’s website 
under the class name TestGCD Applet. It uses the gcd() method supplied with the Biglnte- 
ger class. Figure 3.5 shows a screen shot of a sample run. 

The following development will be very useful to us later on, for it will help us solve spe- 
cial equations called diophantine equations, and congruences. It also reveals something 
interesting about the gcd. Recall that the gcd of two numbers is the least positive integer that 
can be expressed as a linear combination of those two numbers; that is. 


(x, y) = mx + ny 

for some integers m and n. What are the values of m and n? The next proposition shows us 
exactly how these two quantities can be computed. 


PROPOSITION 1 2 (Extended Euclidean Algorithm). Let x and y be positive integers such 
that x>y>0. Then 


(x, y) = 
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where the s„ and t„ are defined recursively as 

Sj = Sj -2 - qj-iSj-i for; = 2,...,n 

^o= 1 

i'l = 0 

tj= tj-i - for; = 2, ... ,n 

(q = 0 

h = i 

and the qj and r, are as in the Euclidean algorithm. 

Rather than produce a proof right away for this, we do an example to clarify what is 
going on. Suppose we wish to express the gcd of 252 and 198 as a linear combination of 252 
and 198. We can apply the Euclidean algorithm, and while keeping track of the quotients 
and remainders, we shall also compute the two values Sj and tj during the ;th step. This is 
perhaps best done in a table. (See Table 3.3.) 

The fourth remainder is the last nonzero remainder, so we need not compute the fifth 
row in the table. The two numbers desired are 4, and —5; that is, 

18 = (252, 198) = 4 • 252 + (-5) • 198 

Now, we can show a proof to you that this always works. 

Proof. First note that (x, y) = r„, where is the last nonzero remainder generated in the 
Euclidean algorithm. If we show then that 

rj = SjX + tjy (*) 

V (for all) j = 0, I, . . . , k<n, the result then follows by induction. First, note (*) is true 
when ; = 0, and when ;' = 1 , since 

ro=l'X + 0'y = Scpc + t^y, and ry=() ■ x + \ ■ y = 5iX + tyy. 
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Table 3.3 


Now, assume (*) is true for j = 2, . . . , k — 1 . The Ath step of the Euclidean algorithm 
tells us that r*. = /■^_2 — and hy using the induction hypothesis, we can then show 

(*) is true when j = kas follows: 

rk = (Sk-2X + tk-2y) - (Sk-iX + h-iy)qk-i 
= (Sk-2 - Sk~iqk-i)x + (tk-2 - tk~iqk-i)y 

= SkX+ 10! 

Induction then says s^c + t0/ = r„ = (x, y), as desired. ■ 

Java Algorithm We should write a euclid() method to calculate the values cited in the 
foregoing theorem. The Biginteger class does not provide such a method, so we will write 
a BigIntegerMath class to place methods in. The Biginteger class will be used to house 
many of the methods used in this book. In particular, this class defines a euclid(BigInteger 
X, Biginteger y) method, which returns an array (say, arr[]) of three Bigintegers. We will set 
arr[0] to (x, y) = r„ (from Proposition 12), arr[l] to s„, and arr[2] to t„. This method is not 
recursive; an interesting exercise for you is to write it recursively. 

import java .math ; 

import j ava . security . SecureRandom; 

import j ava . ut i 1 . * ; 

public class BigIntegerMath { 

//Define some Biginteger constants; this is handy for comparisons 

static final Biginteger ZERO=new Biginteger ( "0 ") ; 

static final Biginteger ONE=new Biginteger { "I" ) ; 

static final Biginteger TWO=new Biginteger ( "2 ") ; 

static final Biginteger THREE=new Biginteger ( "3" ) ; 

static final Biginteger FOUR=new Biginteger ( "4" ) ; 
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//A nonrecursive version of euclid. It returns an array answer of 3 Bigintegers 
//answer[0] is the god, answer[l] is the coefficient of a, answer[2] the coeff 
//of b 

public static Biglnteger[] euclid (Biginteger a,Biglnteger b) throws 
IllegalArgumentException { 

//Throw an exception if either argument is not positive 
if (a. compareTo (ZERO) <=0 I lb. compareTo (ZERO) <=0 ) throw new 
IllegalArgumentException ( "Euclid requires both arguments to be positive!"); 
Biginteger [] answer =new Biginteger [3 ] ; 

//Set up all the initial table entries 
Biginteger rO=new Biginteger (a . toByteArray ()) ; 

Biginteger rl=new Biginteger (b . toByteArray ()) ; 

Biginteger sO=new Biginteger ( "1" ) ; 

Biginteger sl=new Biginteger ( "0 ") ; 

Biginteger t0=new Biginteger ( "0 ") ; 

Biginteger tl=new Biginteger ( "1" ) ; 

Biginteger ql=r0 .divide (rl) ; 

Biginteger r2=r0 .mod(rl) ; 

Biginteger s2 , t2 ; 

//When r2 becomes zero, the previous table entries are the answers 
while (r2 . compareTo (ZERO) >0 ) { 

s2=s0 . subtract (ql .multiply (si) ) ; s0=sl; sl=s2; 
t2=t0 . subtract (ql .multiply (tl) ) ; t0=tl; tl=t2; 
r0=rl; rl=r2; ql=r0 .divide (rl) ; r2=r0 .mod(rl) ; 

} 

answer [0] =rl; answer [1] =sl ; answer [2 ] =tl ; 
return answer; 


TestEuclidApplet is on the book’s website. Run it to test the algorithm (see Figure 3.6). 

3.3 THE FUNDAMENTAL THEOREM OF ARITHMETIC 

The following propositions lead us to the pinnacle of number theory: the Fundamental The- 
orem of Arithmetic, which states that every integer factors uniquely into a product of prime 
powers. Of course, we’ve been using this fact since we were children, but we rarely see the 
proof until after we’ve left high school, and most people never see it at all. But first, two 
other theorems: 

PROPOSITION 13 If a, b, and c are positive integers with a and b relatively prime, and 
such that a\bc, then ale. 

Proof. Since a and b are relatively prime, 3 integers x and y such that ax + by= 1 . Mul- 
tiply both sides of the equation by c to get acx + bey = c. Now, since ala, and a\bc by hypoth- 
esis, proposition 2 says al(acx + bey), a linear combination of a and be. Hence, ale. ■ 
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PROPOSITION 14 Suppose a;, 02 , are positive integers, and p is a prime which 

divides a[fl 2 ■ ■ ■«„■ Then there is an integer i such that 1 < / < n and pb,. 

Proof. If n= 1, the result is trivially true. Now suppose the theorem is true for n = k, and 
consider a product of ^ + 1 integers a 102 ■ ■ ■ divisible by p. Since p\aia 2 ■ ■ . = (a\a 2 

. . . proposition 13 says either plojOj ■ ■ ■ a*, or pbt+i. If pbj:+i, we are finished. If, 

on the other hand plfl[fl 2 ■ ■ ■ our supposition says 3 an integer i between I and n (inclu- 
sive) such that pla,. In this case, induction establishes the desired result. ■ 

PROPOSITION 15 (The Fundamental Theorem of Arithmetic.) Every positive integer 
n greater than 1 can be written in the form n = p ^2 ■ ■ ■ Pr where each p^ is prime, i = 1, 
2, . . . ,n. Furthermore, this representation is unique. 

Proof. Assume some positive integer greater than 1 cannot be written as a product of 
primes, and let n be the smallest such integer. If n is prime, it is trivially a product of primes. 
So n = ah is composite, where l<a<n, l<h<«. Since n is the smallest number greater 
than 1 which cannot be written as a product of primes, a and b must both be products of 
primes. But since n = ab, n is also a product of primes, contrary to our assumption. Given 
that this prime factorization of n exists, we must now show it is unique. Suppose n has two 
different factorizations 


n =piP2 . . ■Pm = qiq2 ■ ■ - qk 
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where each pi and qj is prime, i = I, 2, . . . , m, j = \, 2, . . . , k, and that these factors are in 
nondecreasing order. Remove any common primes from the two factorizations, and re-index 
if necessary to obtain 

P1P2 ■ ■ ■Pv = qiqi ■ ■ - qw, where v<m,w<k. 

All of the factors on the left-hand side are different from the factors on the right. Now, 
consider pi, which divides qiq 2 ■ ■ ■ q^ (since Pi\p\P 2 ■ ■ ■ Pv^ which is equal to qiq 2 . . . q^). 
Proposition 14 says then that p^ must divide g, for some i between 1 and >v (inclusive), but 
this is clearly impossible, since each q, is prime, and each different from pi. Thus, the prime 
factorization of n is unique. ■ 

The Fundamental Theorem of Arithmetic reveals that integers greater than 1 factor 
uniquely into primes. We often order these factors from the smallest to the largest, and group 
those that are equal together. We call this the prime power factorization of an integer. 


lixAMPLES. 


• 24 = 2’ • 3 


• 588 = 2^ • 3 • 7^ 

• 450 = 2 -3^ -5^ 

Before we move on to the next chapter, we should discuss the least common multiple of 
two integers. We will derive a convenient formula to compute it, based on the greatest com- 
mon divisor. Proving the validity of this formula is easy with the Fundamental Theorem of 
Arithmetic. 


Definition 

The least common multiple of two integers x and y, not both zero, is the smallest pos- 
itive integer that is divisible by both x and y. We denote the least common multiple, or 
1cm, of X and y as lcm(x, y). 

It isn’t difficult to compute the 1cm of two integers x and y if we reason in the following 
way: Take the prime power factorization of the two integers, and note which factors they 
have in common. Note that the product P of these common factors must be the gcd of x and 
y. To see this, note that PIx and Ply, and furthermore: 

• If we multiply P by another factor of x (or y), that product will then fail to divide y (or x), 
and 

• if we remove a factor from P, we then have a common divisor of x and y which is smaller 
than P. 

Thus, P = (x, y). (See Figure 3.7.) 

Now, remove one set of the common factors; say, fromx. (See Figure 3.8.) 
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Consider now the integer formed by the product of the factors of y with the remaining 
factors of x. (See Figure 3.9.) 

Clearly, this integer is divisible by both x and y. Furthermore, if we attempt to remove 
any more factors from this integer, it will no longer be divisible by either x or y (possibly 
neither). This is clearly the least common multiple of x and y. This yields a convenient for- 
mula for the least common multiple; that is, 

lcm(x, y) = xy/{x, y). 

This argument doesn’t really count as a proof, and you should confirm this. (Hint: Use 
the prime power factorization of x and y.) 
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HxAMPLES. 

• lcm(36, 78) = 36 • 78/(36, 78) = 36 • 78/6 = 6 • 78 = 468 

• lcm(21, 56) = 21 • 56/(21, 56) = 21 • 56/7 = 3 • 56 = 168 

^ • lcm(100, 2050) = 100 • 2050/(100, 2050) = 100 • 2050/50 = 2 • 2050 = 4100 


EXERCISES 

1. Show that 

a. 5120 

b. 7142 

c. 818 

d. 1155 

e. 710 

f. 34210 

2. Give the divisors of 

a. 72 

b. 37 

c. 30 

d. -27 

e. 0 

3. Using the division algorithm, find integers q and r for the following equations. Remem- 
ber, 0< r<b. 

a. 47 = 5q + r 

b. I53 = 7q + r 

c. -143 = 8^H-r 

d. —7 = 9q + r 

e. 0 = 32q + r 

f. —l=6q + r 

g. —6 = 6q + r 

4. Prove proposition 2. 

5. Determine which, if any, of the following integers are primes. For any that are not 
prime, list the positive factors. 

a. 77 

b. 78 


Exercises 


87 


c. 79 

d. 1801 

e. 981 

f. 31 

g. -31 

6. Find all the primes < 100 using the Sieve of Eratosthenes. 

7. Write a Java program to prompt the user for a positive number n, then compute and dis- 
play all primes < n using the Sieve of Eratosthenes. (Hint: Use an array of size n + I 
of type boolean.) 

8. Find the gcd of the following sets of integers. 

a. 15,35 

b. 21,99 

c. 76,24,32 

d. 132,64,0 

e. 99,-100 

f. -83, -23 

9 . Determine if the following lists of integers are mutually relatively prime, pairwise rel- 
atively prime, or neither. 

a. 198,252,54,18,9 

b. 130, 65, 39, 143 

c. 14,98,25 

d. 32,27,35 

10 . Find a set of four integers which are mutually relatively prime, but not pairwise rela- 
tively prime. 

11 . Find a set of five integers which are mutually relatively prime, but not pairwise rela- 
tively prime. 

12 . Find the gcd of the following sets of integers using the Euclidean algorithm. 

a. 318,3243 

b. 21,364 

c. 102,222 

d. 104,24,32 

e. 132,64,40 

f. 20785,44350 

g. 99, 121 

h. 83,23 

i. 34709, 100313 
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13 . Prove proposition 10. (Hint: Use proposition 2 to show that the common divisors of c 
and d are the same as the common divisors of d and r.) 

14 . Write a gcd() method for the Int class without using recursion. 

15 . Add a gcd button to the Int calculator developed in a previous exercise. Use your own 
gcd() method from the previous exercise. 

16 . Express the gcd of each of the following pairs of integers as a linear combination of the 
pair. 

a. 45 and 75 

b. 121 and 32 

c. 512 and 96 

d. 10101 and 27 

e. 39 and 143 

f. 1023 and 300 

g. 25 and 26 

h. 423102 and 462 

i. 98 and 70 

j. 23984756 and 9238475 

17 . Write a recursive version of the euclid() method for Bigintegers. 

18 . Give the prime power factorization of the following integers: 


a. 

10201 

b. 

874 

c. 

252 

d. 

5250 

e. 

1212 

f. 

36179 

g- 

4350 


19 . Prove that if a and b are nonzero integers, then lcm(a, b) = abl(a, b). 

20 . Calculate the 1cm of the following pairs of integers: 

a. 104,24 

b. 252, 198 

c. 17,83 

d. -123,6 

e. 987654321, 123456789 
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Linear Diophantine Equations 
and Linear Congruences 


4.1 LINEAR DIOPHANTINE EQUATIONS 

Diophantine equations are special types of equations. What characterizes them is that their 
solutions must be integers. Consider the following equation: 

12x + 27y = 32. 

This is called a linear diophantine equation in two variables. It is diophantine because we 
are only interested in integer solutions for the variables, and it is linear because the highest 
power of any variable in the equation is 1 . The preceding equation has no integer solutions 
for X and y (try to find one, if you like), whereas the following equation 

12x + 27y = 30 

has infinitely many integral solutions! One solution is x = —20, y = 10. (Try to find some 
more, or a formula which gives them all.) What distinguishes the first equation from the sec- 
ond? Proposition 16 will provide the answer to this; it will tell us which such equations 
have solutions, and which do not. The proof is constructive, in that it shows how to find the 
solutions when they exist. 

PROPOSITION 16. Let a and b be nonzero integers with d = (a, b). If die, the integer 
solutions X and y of the equation ax + by = c are x = Xq + bn/d, y = yo — an/d, where x = Xq, 
y = yo is a particular solution. If r/ T c, the equation has no integer solutions. 

Proof. Suppose x and y are integers such that 

ax + by = c. (*) 

Then, since d\a and d\b, by proposition 2, d also divides c. Thus, the contrapositive says 
if d does not divide c then there are no integral solutions. So, suppose die. Proposition 12 
demonstrates the existence of integers s and f such that 

d = as + bt. 
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Since d\c, there is an integer e such that de = c. Multiply both sides of d = as + bthy e 
to obtain 


c = de = {as + bt)e = a{se) + b{te) 

and we see then that x = Xq = se,y = y(^ = te is a. particular solution to (*). Now, let x = Xo + 
bnid, y =yo ~ anid, where n is any integer. Note that this is also a solution: 

ax + by = aXf) + abnid + hyo ~ ban/d = axg + by^ = c. 

We must show that every solution of (*) must be of this form. Suppose x and y are inte- 
gers such that ax + by = c. Since axg -i- by^ = c, we subtract and rearrange terms to get 

(ax + by) — (oxq + byo) = 0 

a{x - Xo) + b{y - yg) = 0 

a{x - Xg) = biyo - y). 

Divide both sides of the previous equation by d to get 

{a/d)ix - Xg) = {bld){yo - y). 

Proposition 7 tells us that (a/d, bid) = 1, and we use proposition 13 to then show that 
{a/d)\(yfj — y). Thus, we can write anId = yo — y for some integer n, and so y = yg — an/d. 
If we insert this value of y back into 

a{x - Xg) = b{yo- y) 

we get a{x — Xg) = b{an/d), and hence x = Xg H- bn/d, as desired. ■ 


Example. The previous theorem allows us to find all solutions of the two equations presented 
at the beginning of this chapter. Consider again the equation 12x + 27y = 32. The gcd of 12 
and 27 is 3, which does not divide 32. Thus, this equation has no integer solutions. But the 
second equation, 12x + 27y = 30, has infinitely many integer solutions since 3130. We find 
all the solutions by first finding a particular solution. First, note that integers s and t exist 
which solve 12^ + 21t = (12, 27) = 3, and proposition 12 tells us how to compute them. 
They are s = —2, t=\. Thus, since 12(— 2) H- 27 ■ 1 = 3, we can multiply both sides of the 
equation by 10 to get 12(— 20) -i- 27 • 10 = 30. So a particular solution to 12x + 27y = 30 is 
Xg = —20, yg = 10. Proposition 16 says all of the solutions to 12x + 27y = 30 are then given 
by X = —20 + T/n/'i = —20 + 9n, and y = 10 — 12w/3 = 10 — 4w, V integers n. 

ZMxAMPLE. Diophantine equations have real-world applications as well. Suppose you are at 
the grocery store with 4 dollars and 27 cents. Apples sell for 35 cents, and oranges for 49 
cents. What combination of apples and oranges (if any) will exhaust your money? (Assume 
there is no sales tax.) We wish to find all integer solutions to the equation 35x + 49y = 427. 
First, compute (35, 49) = 7, and note that 427 = 61 • 7, so 71427. Thus, the equation has infi- 
nitely many solutions. We find a particular solution by first solving 355 -i- 49? = 7, and get 
s = 3, t= -2. Multiply both sides of 35 • 3 H- 49(-2) = 7 by 61 to get 35 • 183 H- 49(- 122) 
= 427, and get a particular solution to our equation; that is, Xg = 183, and yg = — 122. The 
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Table 4.1 



general solutions to the equation are then x= 183 + In, y = —122 — 5n\/ integers n. Since 
we obviously cannot huy a negative number of apples or oranges, we need to find which of 
these solutions are nonnegative. Thus we find that x = 183 + 7n > 0, or n > —183/7 = 
—26 1/7, and y=— 122 — 5« > 0, or n < — 122/5 = — 24 2/5. Thus, n can only attain the val- 
ues —26, and —25. Each of these values of n produces a satisfactory solution to our prob- 
lem, which can be seen in the Table 4. 1 . 


Note that with diophantine equations, it is only necessary to solve the equation ax + by 
= c where a, b, and c are all positive, for if any of these are negative, the solution is still eas- 
ily obtained by inverting some of the signs. For example, suppose x = x' and y = y' is a 
solution to ax + by = c, where a, b, and c are all positive. Then we have all of the following 
in case any one of the constants changes sign. 

X = — x', y = — y' is a solution to ax + by = —c, 

X = — x', y = y' is a solution to —ax + by = c, and 

X = x', y = — y' is a solution to ax — by = c 

One can easily solve for the other cases when 2 or all 3 of the constants change sign. 
More cases to consider are when one of a, b, or c is 0. For these cases we have 

• x = b,y= —a is a solution to ax + by = 0 

• X = 0, y = db is a solution to Ox H- by = c (provided b\c) 

• X = da, y = 0 is a solution to ax H- Oy = c (provided ale) 

Java Algorithm. We now write for the BigIntegerMath class a method to solve linear 
diophantine equations ax + by = c. Because of the previous discussion, we will allow only 
equations where a and b are positive, and c is nonnegative. You may wish to rewrite the 
method to solve equations when any of a, b, or c are negative, or zero. The method will accept 
the coefficients a and b, and the constant c as Bigintegers. If a or h are not positive, or if c 
is negative, it will throw an IllegalArgumentException. It will then compute d = (a, b), and 
if <7 T c, it will again throw an IllegalArgumentException. Otherwise, it will compute a par- 
ticular solution X = x', y = y' to the equation, and return it in an array of Bigintegers. The 
element at index 1 will be x', and y' will be at index 2. For convenience, the ged of a and b 
will be returned at index 0. This is useful if we want to display the general solution. 

public static Biglnteger[] solveLinearDiophantine (Biginteger a, 

Biginteger b. 
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Biginteger c) throws IllegalArgumentException { 

if (a. compareTo (ZERO) <=0 I I b. compareTo (ZERO) <=0 I |c.compareTo(ZERO)<0) 
throw new IllegalArgumentException 

("All constants must be positive in linear diophantine equation."); 
Biglnteger[] euclidAnswers=euclid(a,b) ; 
if (c.mod(euclidAnswers [0] ) . compareTo (ZERO) !=0) 
throw new IllegalArgumentException 

("No solution since "+euclidAnswers [0] +" does not divide "+c+"."); 
Biginteger [] answer =new Biginteger [3 ] ; 

Biginteger q=c .divide (euclidAnswers [0] ) ; 
answer [0] =euclidAnswers [0] ; 
answer [1] =q. multiply (euclidAnswers [1] ) ; 
answer [2] =q. multiply (euclidAnswers [2 ] ) ; 
return answer; 


} 



There is an applet called TestDiophantineApplet on the book’s website you can use to 
solve linear diophantine equations. A screen shot of the applet solving a sample equation is 
shown in Figure 4. 1 . 


4.2 LINEAR CONGRUENCES 

Now we can begin the study of congruences, which are a special type of relation greatly influ- 
enced by and related to diophantine equations. They are used heavily in many cryptosys- 
tems. The definition of congruence follows. 



4.2 Linear Congruences 


93 


Definition 

Let m be a positive integer, and a and b integers. If m\{a — b), we say that a is congru- 
ent to b modulo m, and write a = b (mod m). If m L (a — b), we say that a and b are 
incongruent modulo m (or not congruent modulo m), and write a^b (mod m). 


I£xAMPLES. Note the following: 

• 23 = 2 (mod 7), since 7 divides 23 — 2 = 21. 

. 45 ^ -7 (mod 13), since 131(45 - (-7) = 52). 

-| » 10 ^ 100 modulo 4, since 4 L (10 — 100) = —90. 

The following will help us solve linear congruences by allowing us to express them as 
equations. 

PROPOSITION 17. Integers a and b are congruent modulo m iff 3 an integer k such that 
a = b + km. 

Proof, a = b (mod m) iff m\(a — b) iff 3 an integer k with a — b = km, or a = b + km. 


Example. 


75 ^ 3 (mod 8) 
iff 81(75 - 3) 

iff 8A: = 75 — 3 for some integer k 
iff 75 = 8A: H- 3 for some integer k 
iff k = 7. 


Congruences have many properties similar to equations. Some of these follow in the 
next proposition, and you should easily be able to prove all of them. 


PROPOSITION 1 8 . Let a, b and c be integers, and let m be a positive integer. Then 
a. fl = a (mod m). 

\). a = b (mod m) implies b = a (mod m). 

c. a = b (mod m) and = c (mod m) implies a = c (mod m). 
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HxAMPLES. 

1 ^1 (mod 9) (Clearly, since 91(7 - 7) = 0). 

b. 8 ^ 2 (mod 6) and so 2 ^ 8 (mod 6) (Since 61(8 - 2) = 6 iff 61(2 - 8) = -6). 

c. 7 = — 3 (mod 5) and —3 = 2 (mod 5) implies 7 = 2 (mod 5). 

Proposition 18 tells us that congruences modulo m partition the integers into m distinct 
subsets modulo m, and each subset contains integers that are all congruent to each other 
modulo m. For example, congruences modulo 3 partition the integers into 3 subsets: 

a. {. . . , -9, -6, -3,0, 3,6,9, . . .} 

b. {. . . , -8, -5, -2, 1,4,7, 10, . . .} 

c. {. . . , -7, -4, -1,2,5, 8, 11, . . .} 

All of the integers in set (a) are congruent to each other modulo 3. Likewise for sets (b) 
and (c). (Verify.) Also, there are no integers that do not belong to exactly one of these sets. 
Now, consider the subsets consisting of only the nonnegative members of sets (a), (b), and 
(c). Note that no such subset is empty, and so each will have a minimal element. For the set 
of nonnegative elements of set (a), this minimal element is 0. For set (b), the minimal pos- 
itive element is 1, and 2 is the minimal positive element of set (c). These particular ele- 
ments are often used as representatives of the congruence classes in which they reside, and 
a definition for them follows. 


Definition 

Let b be an integer, and let m be a positive integer. All integers congruent to b modulo 
m are called residues of b modulo m. The least nonnegative residue, or Inr, of b mod- 
ulo m is the least nonnegative integer congruent to b modulo m. 

Again, note that such a least nonnegative residue always exists, just by noting that 
the least nonnegative residue r of c modulo m > 0 is the very same r obtained from the 
division algorithm 

c = dq + r 0< r<d 

which we already know always exists. 


lIxamples. 

a. The Inr of 29 modulo 13 is 3. That is, 3 = 29 (mod 13), and 3 is the smallest nonnega- 
tive integer congruent to 29 modulo 13. 

b. 44 = 2 (mod 6), and 2 is the smallest nonnegative number congruent to 44 modulo 6, 
hence it is the Inr of 44 modulo 6. 

c. — 17 = — 2 = 3 (mod 5), and 3 is the Inr of — 17 modulo 5. 

Note that in all of the examples, the Inr is just r from the division algorithm, for 
a. 29 = 13 • 2 H- 3, 
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b. 44 = 7 ■ 6 + 2, and 

c. -17 = 5 • -4 + 3. 


Java Algorithm. Since we now have the concept of the least nonnegative residue, we 
should write a Java method (in the BigIntegerMath class) to compute it. The Biginteger 
class provides a mod() method, but the Java documentation says it can return a negative 
remainder if the dividend is negative. We correct this by just adding the value of the mod- 
ulus to the residue if it is negative. Also, recall that we do not allow negative moduli. 

//Computes the least nonnegative residue of b mod m, where m>0 . 
public static Biginteger Inr (Biginteger b, Biginteger m) { 
if (m. compareTo (ZERO) <=0 ) 

throw new IllegalArgumentException ( "Modulus must be positive."); 

Biginteger answer=b.mod(m) ; 

return (answer . compareTo ( ZERO) <0 ) /answer . add (m) : answer; 

} 

We would like to be able to form some rules of algebra for congruences. Many rules that 
hold for equations also hold for congruences. 

PROPOSITION 1 9. Let a, b, and c be integers, and let m be a positive integer. Suppose 
a = b (mod m). Then 

a. a + c = b + c (mod m) 

b. a — c = b — c (mod m) 

c. ac = be (mod m). 

Proof. 

a. We prove the first here. We have a = b (mod m), so m\{a — b). But a — b = (a + c) — 
(b + c), and this is divisible by m, hence a + c = b + c (mod m). 

b. (For you to prove.) 

c. (For you to prove.) ■ 

We can do even better than the properties of proposition 19 when dealing with congru- 
ences. That is, we do not have to add, subtract, or multiply by the same element on both sides 
of a congruence to preserve it, but only by elements that are congruent modulo m. These 
properties are easily established, and are left to you to prove. 

PROPOSITION 20. Let a, b, c, and d be integers, and let m be a positive integer. Sup- 
pose a = b (mod m), and c = d (mod m). Then 

a. a + c = b + d (mod m) 

b. a — c = b — d (mod ni) 

c. ac = bd (mod m). 
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Examples. Note that 9 = 2 (mod 7). Then all of the following are true: 
. (7 + 9) ^ (-7 + 2) (mod 7) 

Check: (7 + 9) ^ 16 ^ 2 (mod 7) and (-7 + 2) ^ -5 ^ 2 (mod 7) 

• (3 - 9) ^ (-4 - 2) (mod 7) 

Check: (3 - 9) ^ -6 ^ 1 (mod 7) and (-4 - 2) ^ -6 ^ 1 (mod 7) 

• (3 • 9) ^ (-4 • 9) (mod 7) 

^ Check: (3 • 9) ^ 27 = 6 (mod 7) and (-4 • 2) ^ -8 ^ 6 (mod 7) 


Note that a similar property for division does not appear in proposition 19 or proposition 
20. This is because it isn’t true in general. For example, note that 16 = 4 (mod 12), but that 
16/2 = 8 is not congruent modulo 12 to 4/2 = 2. However, if we take the gcd of 12 and 2, 
note that 8 and 2 are congruent modulo 6 = 12/(12, 2). This is true in general, and we prove 
it thus: 

PROPOSiTiON 21 . Let a, b, and c be integers, and let m be a positive integer. Let d = 
(c, m), and suppose ac = be (mod m). Then a = b (mod mid). 

Proof. Since ac = be (mod m), m\{ac — be) = c(a — b). Thus, there is an integer k such 
that c{a — b) = km. Divide both sides by d to get {c/d){a — b) = k(m/d). Proposition 7 says 
dd and mid are relatively prime, so {mld)\ia — b) by proposition 13. Thus, a = b (mod 
mid). ■ 


A special case occurs in the previous theorem when c and m are relatively prime, for 
then division by the integer c preserves the congruence modulo m. For example, note that 
50 = 15 (mod 7), and that 50 = 10 ■ 5, and 15 = 3-5. Since 5 is relatively prime to the mod- 
ulus 7, we can factor it out on both sides of the congruence and still preserve it; that is, 10 
^ 3 (mod 7). 


lixAMPLES. 

•10 = 4 (mod 3), so 

10/2 = 4/2 (mod 3), or 
5^2 (mod 3) 

• 30^ 12 (mod 18), so 

30/3 = 12/3 (mod 18/3), or 
10^4 (mod 6). 
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We now have enough artillery in our arsenal to solve linear congruences. A linear con- 
gruence in one variable is of the form ax= b (mod m) where x is unknown. The following 
are examples of such congruences: 

a. 9x=l (mod 45) 

b. 2lz ^ 9 (mod 30) 

Some of these congruences have solutions, while others do not. For example, the con- 
gruence (b) has all of the following solutions for z- 

z = 9 (mod 30), since 21 - 9=1 89 = 9 (mod 30) 

z = 19 (mod 30), since 21 • 19 = 399 = 9 (mod 30) 

Z = 29 (mod 30), since 21 • 29 = 609 = 9 (mod 30) 

However, the congruence (a) has no solutions for x. Why? The following tells us when 
solutions exist, and how to find them. 

PROPOSITION 22. Suppose ax=b (mod m), where b is an integer, and a and m are 
nonzero integers. Let d = {a, m). If c? T b, the congruence has no solution for x. If d\b, then 
there are exactly d incongruent solutions modulo m, given by x = Xq + tmid, where Xq is a 
particular solution to the linear diophantine equation ax + my = b, and t = 0, I, . . . , d — 1. 

Proof. Proposition 7 says that the linear congruence ax= b (mod m) is equivalent to the 
linear diophantine equation ax — mz = b, or ax + my = b where y = — z. The integer x is a 
solution of ax = b (mod m) iff 3 an integer y such that ax + my = b. By proposition 16 we 
have no integer solutions to this equation if d -f b, but when d\b, we have infinitely many 
solutions given by 

X = Xq + mt/d, y = yo + add, where x = Xq, y = yo is a particular solution. 

These values for x are then solutions to ax = b (mod m). To determine which solutions 
are congruent modulo m, suppose 

Xq + mr/d = Xq + ms/d where r and s are integers. 

Subtract Xg from both sides to get 

(m/d)r = (m/d)s (mod m) 

and note that (m, m/d) = m/d since (m/d)\m. We then use proposition 21 to see that 

r = 5 (mod d). 

This says that two solutions Xq -h mr/d and Xg -i- ms/d are congruent modulo m exactly when 
r and s are congruent modulo d. Thus, the complete set of incongruent solutions x = Xg -i- mdd 
is obtained as f spans the integers 0, 1. ■ 

Just stating proposition 22 sounds like a mouthful, but using it to solve linear congruences 
is actually easy, as we’ll see in the following examples. Note that for linear congruences, 
as with linear diophantine equations, we concern ourselves only with congruences where all 
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the constants are positive. Congruences not in this form can easily be put so by replacing 
the values for a and b with their least nonnegative residues modulo m. For example, the 
congruence 143x = — 11 (mod 121) yields exactly the same set of incongruent solutions as 
22x^ no (mod 121). 


Examples. 

• Find all incongruent solutions to 9x = 7 (mod 12). Note that (9, 12) = 3, and that 3 -f 7. 
Therefore, there are no solutions. 

• Find all incongruent solutions to 16x = 12(mod 20). We compute (16, 20) = 4, and note 
that 4112. Thus, 4 incongruent solutions modulo 12 exist. We first find a particular solu- 
tion by noting that solving 16x = 12 (mod 20) for x is the same as solving the linear dio- 
phantine equation I6x — 20y = 12. Note that we may just as well solve the equation 
16x H- 20>’ =12 because we will discard the value obtained for y anyway. We find a par- 
ticular solution to be X = Xq = — 3, y = yo = 3. The set of all incongruent solutions can be 
computed as 

x=-3+0- (20/4) =-3^17 (mod 20) 
x=— 3h-1 - 5 = 2 (mod 20) 
x=-3h-2-5^7 (mod 20) 

^ x= -3 h- 3 • 5 ^ 12(mod20). 


The validity of each of these solutions is easily checked, and you are invited to do so. 


Java Algorithm. Surely you have noticed that solving a linear congruence simply 
means solving the appropriate linear diophantine equation. Therefore, writing a solveLin- 
earCongruenceO method in the BigIntegerMath class should be a snap. 

public static Biglnteger[] solveLinearCongruence (Biginteger a, Biginteger b, 
Biginteger m) { 

Biginteger!] answers=solveLinearDiophantine (Inr (a,m) ,m,lnr(b,m) ) ; 
return answers; 



I have written an applet called TestLinearCongruenceApplet which you can run from 
the book’s website. Some screen shots are shown in Figures 4.2, 4.3, and 4.4. 

Note that if there are multiple solutions, you can repeatedly press the “Next Solution” but- 
ton to see the others. 


4.3 MODULAR INVERSES 

Congruences of the form ax = 1 (mod m) are considered special. Solutions for a to such con- 
gruences are called inverses of a, when they exist. The following definition formalizes this 
concept. 
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FIGURE 4.2 


FIGURE 4.3 
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Definition 

Note that the solution to ox = 1 (mod m) exists only when a is relatively prime to m, 
since (a, m) must divide 1. When such solutions exist, there is only one incongruent solu- 
tion modulo m. A solution to such a congruence is called an inverse of a modulo m, and 
we write such an inverse as o'. 


OxAMPLES. 


• 19 is an inverse of 4 modulo 25, since x = 19 (mod 25) solves 4x = 1 (mod 25). (Verify.) 
Thus, we write 4' = 19 (mod 25). 

• A solution to 7x = 1 (mod 8) is x = 7 (mod 8). Thus, 7 is its own inverse modulo 8, or 
we can write 7' = 7 (mod 8). This is easily checked, since 7 - 7' = 7- 7 = 49 =1 (mod 
8 ). 

• Now, consider the congruence 9x = 1 (mod 15). Note that 9 has no inverse modulo 15, 
since 9 and 15 are not relatively prime. 


1. Find all integer solutions to the following linear diophantine equations, if any exist: 
a. 42x + 30y = 20 


EXERCISES 
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b. 

42x -H 30y = 

18 

c. 

252xh- 198y 

= 90 

d. 

llxH- 17y = 

23 

e. 

12x + 32y = 

10 

f. 

12x + 32y = 

92 

g- 

36x-H81y = 

117 

h. 

252xh- 198y 

= 414 


2 . Suppose for the apples and oranges example in this chapter that you have instead the 
following amounts of money: 

a. 2 dollars and 66 cents 

b. 3 dollars 

c. 7 dollars and 42 cents 

d. 91 cents 

Find all feasible solutions to the number of apples and oranges you should buy to exactly 
exhaust your money. 

3 . Dr. Fonebone goes to the post office to buy some 320 stamps and some 50 stamps. If 
the doctor spent $3.45, how many stamps of each type could he have bought? 

4 . Alien Commander Freenbean returns to her planet after a trip to Southeast Asia. If she 
exchanges her foreign currency and receives a total of 941 gznardls, where she receives 
37 gznardls for each Philippine peso and 63 gznardls for each Thai baht, how much of 
each type of currency did she exchange? Are there multiple answers? 

5 . You are at a classy restaurant with only $18.17 in your pocket, and you are starving. 
Everything on the menu costs more than $20, except the following two items: bread- 
sticks at $1.89 each, and large mountain oysters at $2.50 each. How much of each item 
should you buy to spend all your money? 

6. What combination(s) of quarters and dimes totals $2.95? 

7. Write a GUI or an applet to enter the values of a, b, and c for the linear diophantine equa- 
tion ax + by = c. Display a particular solution x = XQ,y = yQ in the window when the user 
presses a “compute” button. Subsequent presses of the same button should produce an 
alternate solution; the nth press should give the solution x = Xq + bnid, y = yo ~ anid. 

8. Solve all of the following congruences for x, when solutions exist. If solutions do not 
exist, explain why. 

a. 6jc = 4 (mod 14) 

b. 9x^7 (mod 15) 

c. 9x=2\ (mod 24) 

d. 21x^9 (mod 24) 

e. 35x =21 (mod 56) 

f. 8x = 7 (mod 15) 

g. 348975893461X = 1 (mod 9238745892364) 
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h. 46873258738754865JC = 3 (mod 9283765872587542121751) 

9. Find an inverse of 

a. 10 modulo 21 

b. 5 modulo 8 

c. 6 modulo 21 

d. 13 modulo 30 

e. 13 modulo 143 

f. 14 modulo 15 

g. 33 modulo 121 

h. 985 modulo 2527 

i. 8 modulo 27 

j. 9 modulo 14 

when such an inverse exists. If it does not exist, state the reason. 

10 . Prove proposition 18. 

11 . Prove proposition 19. 

12 . Prove proposition 20. 

13 . Consider how you might solve linear diophantine equations in more than two variables; 
for example, the equation 

3x + 2y + 5z = 26 

has X = 5, y = 3, z= 1 as a particular solution. How might you find this particular solu- 
tion? Or any other? One approach you might take is to solve the equation 

3x + 2y + 5z = 1 

where (3, 2, 5) = 1, and remember that (3, 2, 5) = ((3, 2), 5). That is, you can solve 

3x + 2y = (3, 2) = 1 

then use these values for x and y to solve the equation in three variables using the proper 
substitutions. 

14 . What combination(s) of quarters, dimes, and nickels equals 850? 

15 . How many ways can change be made for a dollar using 

a. quarters and dimes? 

b. quarters, dimes, and nickels? 

16 . What time does a 12-hour clock read 

a. 35 hours after 8 o’clock? 

b. 73 hours after 5 o’clock? 

c. 58 hours before 1 o’clock? 
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17 . A satellite orbits the earth with period p hours, where 0 <p < 24, and p is an integer. If 
the satellite is directly overhead at 1300 (on a 24-hour clock), then 7 orhits later is again 
directly overhead at 1800, what is p, the orbital period of the satellite? 

18 . Old Faithless is a geyser in Tibet that erupts every 5 hours. If it erupted at exactly 12 
noon on lune 2, 2000, when did it next erupt at exactly 12 noon? 

19 . The Screechids is a meteor shower through which the planet Mongo passes every 143 
of its days. Mongo passed through the Screechids on its New Year’s day in its year 
10793. If the orbital period of Mongo is 299 of its days, when did Mongo next pass 
through the Screechids on New Year’s day? (Mongo has no leap years, nor any other 
calendar adjustments.) 

20 . Consider now how you may solve a system of linear diophantine equations, as in the 
system 

3x+3y + 2z= 11 
5x H-y H- 3z = 10 

which has as a particular solution x= \,y = 2,z = 1. Explain how such a solution (or 
any other particular solution) could be found. Does this system have infinitely many 
solutions? 

21 . Solve the following system of linear diophantine equations. 

3x + y + lz = 14 
Ax+3z + z=l2 

22. Solve the following system of linear diophantine equations. 

3x + y + lz = 14 
Ax+3z + z=l2 
2x + 5z + z = 10 

23. Solve the following system of linear diophantine equations. 

3x + y + lz = 14 
4x + 3z + z = 12 
2x + 5z + z = 9 
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Linear Ciphers 


The earliest cryptosystems were simple character substitution ciphers; that is, ciphers 
which mapped individual characters to characters. These were the predecessors of 
stream ciphers. Stream ciphers may encipher characters, or they may encipher quantities as 
small as a single bit. What characterizes most modern stream ciphers is that the encipher- 
ing transformation enciphers quantities differently based on their position in the stream. 
The cipher that follows actually does not fit this definition, since its enciphering transfor- 
mation always maps any particular character to the same character. 


5.1 THE CAESAR CIPHER 

The earliest known cipher is the Caesar cipher. This cipher simply replaces each letter in the 
plaintext with the letter three characters down. That is, if we are using the alphabet A thru 
Z, A is replaced with D, B is replaced with E, and so on, with the substitution wrapping 
around for letters near the end of the alphabet. (See Chapter 1 , “A History of Cryptography.”) 
For convenience, each letter-number pair of the ordinary alphabet is shown in Table 5.1. 
We can represent the enciphering transformation as 

C ^ P H- 3 (mod 26) 0 < C < 26 

where C represents the ciphertext character, and P represents the plaintext character. To 
decipher, it is obvious that we solve the above congruence for P to get 

P ^ C - 3 (mod 26) 0 < P < 26. 


ABCDEFGHI J KLMNOPQRSTUVWXYZ 
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 
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In general, if we use an alphabet of size n, the enciphering transformation of a shift cipher 
is 


C = P + 5 (mod n) 0 < C < n. 
We allow the shift s to be any number between 1 and n — 1. 


I£xAMPLE. Encipher the message 

THIS MESSAGE IS TOP SECRET 

using the ordinary alphabet and a Caesar cipher with a shift of 3. When each letter is con- 
verted to a number, and we group into blocks of length 5, we get 

19 7 8 18 12 4 18 18 0 6 4 8 18 19 14 15 18 4 2 17 4 19. 

(Here, we group the items in blocks for readability.) After applying the enciphering trans- 
formation, each number becomes 

22 10 11 21 15 7 21 21 3 9 7 11 21 22 17 18 21 7 5 20 7 22 

and the ciphertext message is sent as 

WKLVP HWDI HLVWR SVHEU HW. 

Hopefully you can see that by shifting each of the ciphertext letters back three letters; that 
is, by applying the deciphering transformation 

P ^ C - 3 (mod 26), 


a 


the plaintext is regained. 


When writing programs to encipher/decipher, we will rarely use the ordinary alphabet. 
Computers already have a character-number association, since everything must be stored 
as a binary number inside a digital computer. There are various character representation 
schemes out there; most notable are ASCII, and EBCDIC. Java uses a character mapping 
called Unicode; programs using Java over the Internet usually encode characters in Unicode. 
The following is a partial listing of the Unicode sequence (the first 255 characters happen 
to be the same characters as in the ASCII sequence). The characters and their associated num- 
ber code are listed. The first 32 characters (0 through 31) are nonprintable characters, and 
character #32 is the space. Thus, they are not shown here. (See Table 5.2.) 

We will call the previous character-number association the “ASCII alphabet.” In general, 
however, we will regard a message as merely an array of bytes, and will not concern our- 
selves with what the bytes represent. 

Java Algorithm. To see the character encoding used by your system, the following 
Java program will help. 
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TABLE 5.2 
Partial 

ASCII-Unicode 

Table 










33 ! 

34 " 

35# 

36$ 

37% 

38 & 

39 ' 

40 ( 

41 ) 

42* 

43 + 

44 , 

45 - 

46 . 

47/ 

48 0 

49 1 

50 2 

51 3 

52 4 

53 5 

54 6 

55 7 

56 8 

57 9 

58 : 

59 ; 

60 < 

61 = 

62 > 

63 ? 

64 @ 

65 A 

66 B 

67 C 

68 D 

69 E 

70 F 

71 G 

72 H 

73 1 

74 J 

75 K 

76 L 

77 M 

78 N 

79 0 

80 P 

81 Q 

82 R 

83 S 

84 T 

85 U 

86 V 

87 W 

88 X 

89 Y 

90 Z 

91 [ 

92 \ 

93] 

94^ 

95 _ 

96' 

97 a 

98 b 

99 c 

100 d 

101 e 

102 f 

103 g 

104 h 

105 i 

106j 

107 k 

108 1 

109 m 

110 n 

111 0 

112 p 

113 q 

114 r 

115s 

116t 

117 u 

118 V 

119 w 

120 X 

121 y 

122 z 

123 { 

124 I 

125 } 

126 ~ 








public class DisplayCharacterSet { 

public static void main (String [ ] args) { 

for (int i=33;i<256;i++) System. out .print (i+" "+ (char ) i+" \t-" ) ; 

} 

} 


Here is the output of the program when I ran it: 


-33 ! 

-34 " 

-35 # 

-36 $ 

-37 % 

-38 & 

-39 ■ 

-40 ( 

-41 } 

-42 * 

-43 + 

-44 , 

-45 - 

-46 . 

-47 / 

-48 0 

-49 1 

-50 2 

-51 3 

-52 4 

-53 5 

-54 6 

-55 7 

-56 8 

-57 9 

-58 ; 

-59 ; 

-60 < 

-61 = 

-62 > 

-63 ? 

-64 @ 

-65 A 

-66 B 

-67 C 

-68 D 

-69 E 

-70 F 

-71 G 

-72 H 

-73 I 

-74 J 

-75 K 

-76 L 

-77 M 

-78 N 

-79 0 

-80 P 

-81 Q 

-82 R 

-83 S 

-84 T 

-85 U 

-86 V 

-87 W 

-88 X 

-89 Y 

-90 Z 

-91 [ 

-92 \ 

-93 ] 

-94 

-95 

-96 ' 

-97 a 

-98 b 

-99 c 

-100 d 

-101 e 

-102 f 

-103 g 

-104 h 

-105 i 

-106 j 

-107 k 

-108 1 

-109 m 

-110 n 

-111 o 

-112 p 

-113 q 

-114 r 

-115 s 

-116 t 

-117 u 

-118 V 

-119 w 

-120 X 

-121 y 

-122 z 

-123 { 

-124 1 

-125 } 

-126 ~ 

-127 a 

-128 ? 

-129 ? 

-130 ? 

-131 ? 

-132 ? 

-133 ? 

-134 ? 

-135 ? 

-136 ? 

-137 ? 

-138 ? 

-139 ? 

-140 ? 

-141 ? 

-142 ? 
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-143 


-144 

? 

-145 

■p 

-146 ? 

-153 

? 

-154 

? 

-155 

■p 

-156 ? 

-163 

u 

-164 

n 

-165 

N 

-166 ^ 

-173 

i 

-174 

« 

-175 

» 

-176 1 

-183 

I 

-184 

I 

-185 

11 

-186 II 


-193 

_L 

-194 

“T 

-195 

h -196 

-203 

T 

-204 

11 

-205 = 

-206 1 

-213 

r 

-214 

fr 

-215 1 

-216 =(= 

-223 

m 

-224 

a 

-225 5 

-226 r 

-233 

® 

-234 

Q 

-235 S 

-236 CO 

-243 


-244 

f 

-245 J 

-246 ^ 

-253 

2 

-254 

■ 

-255 

_ 


-147 

■p 

-148 

p 

-149 ? 

-150 ? -151 ? 

-152 ? 

-157 

■p 

-158 

p 

-159 ? 

-160 a -161 i 

-162 6 

-167 

■> 

-168 

6 

-169 

-170 -171 

-172 k 

-177 

1 

-178 

1 

-179 1 

1 

M 

CO 

O 

CO 

1-1 

_u_ 

-182 1 

-187 

n 

-188 

J 

-189 -11 

-190 J -191 n 

-192 ^ 

- -197 

+ 

198 

[= -199 

||- -200 It -201 

If -202 

-207 

± 

-208 

JL 

-209 =r 

-210 I,- -211 It 

-212 t 

-217 

J 

-218 

r 

-219 1 

-220 B -221 1 

-222 1 

-227 

n 

-228 

s 

-229 a 

-230 VI -231 T 

-232 4) 

-237 

9 

-238 

e 

-239 n 

-240 = -241 ± 

-242 £ 

-247 

25 

-248 


-249 • 

-250 • -251 f 

-252 " 



Java Algorithm. Writing a program to encipher and decipher using shift transforma- 
tions is very easy. In our Java programs, we will map hytes to hytes. The following is a pro- 
gram to encipher with shift transformations in Java. The modulus, however, is now 256. 
This is because the numeric range of a single byte is 0 through 255. 

I have written an applet called TestCaesarCipherApplet which shows how the Caesar 
cipher operates. It can be found on, and run from, the book’s website. Two pictures are 
shown in Figures 5.1 and 5.2. 


FIGURE 5.1 
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FIGURE 5.2 


C:\Docunients and Settings\Administiator\My Docunen(s\java\. 


^xj 


File Edit View Favorites Tools Hel ”!|Addressj| 

13! 

Caesat Cipher Demonstration 

Plaintext 


3 

1 

Ciphertext 


d 

|Wk.h#prqvwhuvttiutptlwkhl}LG $ 

Shift value (0-255): 

|5 

i ....SfflE - : 

Decipher 



The code for this applet follows: 

import j ava . math . * ; 
import java. applet ; 
import j ava . awt . * ; 
import j ava . awt . event . * ; 

public class TestCaesarCipherApplet extends Applet implements ActionListener { 

int shift=0; 

bytel] msgArray=null ; 

byte [ ] encmsgArray=null ; 

Label titleLabel=new Label ( "Caesar Cipher Demonstration"); 

Label Labell=new Label ( "Plaintext" ) ; 

TextField msg=new TextField(40) ; 

Label Label2=new Label ( "Ciphertext" ) ; 

TextField encmsg=new TextField ( 40 ) ; 

Label shiftLabel=new Label ("Shift value (0-255):"); 

TextField entryShiftValue=new TextField (40 ) ; 

Button encipherButton=new Button ( "Encipher ") ; 

Button decipherButton=new Button ( "Decipher ") ; 

public void init ( ) { 

setLayout (new GridLayout (9,1)); 

add(titleLabel) ; 

add (Label 1) ; 

add (msg) ; 

add (Labe 12 ) ; 

add(encmsg) ; 

encmsg.setEditable( false) ; 
add (shift Label) ; 
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add(entryShiftValue) ; 
add(encipherButton) ; 

encipherButton . addActionListener ( this ) ; 
add(decipherButton) ; 

decipherButton. addActionListener ( this ) ; 
decipherButton. setEnabled ( false) ; 

} 

public void actionPerformed(ActionEvent e) { 
if (e .getSource ( ) ==encipherButton) { 
try { 

shift=lnteger.parselnt (entryShiftValue.getText ( ) ) ; 

} catch (NumberEormatException nfe) { 
shift=0; 

} 

msgArraY=msg . getText ( ) . getBytes ( ) ; 
encmsgArray=caesarEncipher (msgArray, shift) ; 
encmsg. setText (new String (encmsgArray) ) ; 
msg . setText { " " ) ; 

encipherButton . setEnabled ( false ) ; 
decipherButton. setEnabled (true) ; 

} else if (e . getSource 0 ==decipherButton) { 
msgArray=caesarDecipher (encmsgArray, shift) ; 
msg. setText (new String (msgArray) ) ; 
encmsg . setText ( " " ) ; 
decipherButton . setEnabled ( false ) ; 
encipherButton. setEnabled (true) ; 

} 

} 

//The enciphering method. 

private static byte[] caesarEncipher (byte [ ] message, int shift) { 
byte [ ] m2=new byte [message . length] ; 
for (int i=0 ; i<message . length; i++ ) { 

m2 [i] = (byte) ( (message [i] +shift) %256) ; 

} 

return m2 ; 

} 

//The deciphering method. 

private static byte[] caesarDecipher (byte [ ] message, int shift) { 
byte[] m2=new byte [message . length] ; 
for (int i=0 ; i<message . length; i++ ) { 

m2 [i] = (byte) ( (message [i] + (256-shift) ) %256) ; 

} 

return m2 ; 


} 
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Note that in this program, the Biginteger class (or the Int class) is not used. This is 
because it isn’t necessary to use large integers when we are only shifting a single byte up 
or down by a maximum of 255. Regular Java ints work just fine. In the program, the user 
enters a shift value, and then the plaintext. It enciphers this as an array of bytes, and then 
converts the enciphered byte array back to a string and displays the ciphertext. Next it 
reverses the process and recovers the plaintext. 

Note also that the message need not be text. Any type of data can be enciphered and 
deciphered, as long as it is first converted into an array of bytes. 


5.2 WEAKNESSES OF THE CAESAR CIPHER 

The Caesar Cipher is a secret key cryptosystem; that is, revealing the enciphering key makes 
decryption simple. In the Caesar cipher, the shift value is the enciphering key. Anyone know- 
ing it can immediately decrypt, so it must be protected from unauthorized persons. 

Ciphertext Only Attack. Whenever a cryptosystem can be broken by examining 
only the ciphertext, we call this a ciphertext only attack. As discussed previously, frequency 
analysis of the ciphertext can be used to break the Caesar cipher. Any cipher vulnerable to 
ciphertext only attack is considered completely insecure and should never be used. 

Exhaustive Key Search. There is yet another method for breaking the Caesar cipher: 
simply try all the possible keys ! After all, there are only 25 viable keys in the ordinary alpha- 
bet, and only 255 useful keys in the ASCII alphabet! This kind of attack is called an exhaus- 
tive search. An exhaustive search is rarely effective against all but the simplest of 
cryptosystems. 

Seeing that the Caesar cipher is so vulnerable, we endeavor to develop stronger cryp- 
tosystems. 

5.3 AFFINE TRANSFORMATION CIPHERS 

After the Caesar cipher, the simplest type of enciphering transformation is the affine trans- 
formation, which multiplies each plaintext value by another number and then adds a shift. 
This may be represented by the congruence 

C = mP + b (mod n) 

where n is the size of the alphabet. The multiplier m in the above congruence must be rel- 
atively prime to n, otherwise decryption is not possible. For in order to decrypt, we must solve 
the above congruence for P. A unique solution exists only if an inverse of m modulo n 
(denoted m') exists, which further only exists when (m, n) = 1. The inverse m' of m mod- 
ulo n is easily obtained by using the extended Euclidean algorithm, and hence we have the 
deciphering transformation 


P = m'(C — b) (mod n). 
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_MxAMPLE. Encipher 
WAH LOST 

using an affine transformation with the ordinary alphabet. Use 7 as the multiplier, and 10 
as the shift. Then recover the plaintext. The ordinary alphabet associations are shown in 
Table 5.3; 


ABC 

D 

E 

F 

G 

H I 

1 

K 

L 

M 

N 

O 

P 

Q 

R 

S 

T 

U 

V 

W 

X 

Y 

Z 

0 1 2 

3 

4 

5 

6 

7 8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 

24 

25 

TABLE 5.3 
























The plaintext message, when the letters are converted to their numerical equivalents, 
yields 

22 0 17 11 14 18 19 

We then compute the following congruences: 

C = 7P + 10 ^ 7 • 22 + 10 ^ 8 (mod 26) 

C ^ 7P + 10 ^ 7 • 0 + 10 ^ 10 (mod 26) 

C ^ 7P + 10 ^ 7 • 17 + 10 ^ 25 (mod 26) 

C = 7P + 10 ^ 7 • 11 + 10 ^ 9 (mod 26) 

C = 7P + 10 ^ 7 • 14 + 10 ^ 4 (mod 26) 

C = 7P + 10 ^ 7 • 18 + 10 ^ 6 (mod 26) 

C ^ 7P + 10 ^ 7 • 19 + 10 ^ 13 (mod 26) 

The results of these calculations produce the ciphertext (in numbers) 

8 10 25 9 4 6 13 
or, the corresponding letters, 

IKZJE GN 

To recover the plaintext, we must solve the congruence 

C = 7P + 10 (mod 26) 

for P. Since 7 is relatively prime to 26, an inverse of it exists modulo 26, and it can be found 
solving the congruence 

7x = 1 (mod 26) 

for X. Quick calculations using the extended Euclidean algorithm yield 


X = 15 (mod 26). 
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This value for x is an inverse of 7 modulo 26, and this is easily verified: 

7x = 7(15) = 105 ^ 1 (mod 26). 

Thus, to recover the plaintext from the ciphertext, we crank it through the deciphering 
transformations: 

C ^ 15P - 10 ^ 15 • (8 - 10) ^ 15 • -2 = 22 (mod 26) 

C ^ 15P - 10 ^ 15 • (10 - 10) ^ 15 • 0 ^ 0 (mod 26) 

C ^ 15P - 10 ^ 15 ■ (25 - 10) ^15-15^17 (mod 26) 

15P- 10= 15 ■ (9 - 10)= 15 ■ -1 = 11 (mod 26) 

C ^ 15P - 10 = 15 ■ (4 - 10) ^ 15 ■ -6 = 14 (mod 26) 

C ^ 15P - 10 = 15 ■ (6 - 10) ^ 15 ■ -4 =18 (mod 26) 

C ^ 15P - 10 = 15 ■ (13 - 10) = 15 • 3 = 19 (mod 26) 

which gives us 

22 0 17 11 14 18 19 
or 

WARLO ST. 


5.4 WEAKNESSES OF AFFINE TRANSFORMATION CIPHERS 

Clearly, affine ciphers are secret key ciphers, since if m and b in the enciphering transfor- 
mation C = mP -I- b (mod n) are revealed, it is easy to compute the inverse of m modulo n, 
and then decipher. 

Ciphertext Only Attack-Frequency Analysis. As with the Caesar cipher, break- 
ing affine ciphers is easy. We may proceed as follows: 

1 . Suppose the message is English text, and we are using the ordinary alphabet A = 00, 
B = 01,...,Z = 25. (Of course, the message may not be English text, or even text at all, 
but the principle remains the same.) 

2. Note that the most common letter appearing in English text is “E”(= 4), followed by 
“T”(= 19). 

3. Examine as much ciphertext as possible. The character appearing most often is proba- 
bly the character “E” enciphered, and the second most frequent character is probably 
“T” enciphered. 

4 . Knowing what “E” and “T” map to allows us to calculate a and b, and thus the mapping 
of all the other letters. 
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This can be easily seen with an example. Suppose the letter appearing most frequently 
in a large amount of ciphertext is “V,” followed by “E.” Then “E”(= 4) probably maps to 
“V”(= 21), and “T”(= 19) probably maps to “E”(= 4). We can then form the two congruences 

2\^Aa + b (mod 26) (*) 

4 = 19a + b (mod 26). 

Now, subtract the first congruence in (*) from the second (we can do this by proposition 
20) to obtain 

-17^9^ 15a (mod 26) 

Solving this congruence (for a) yields: 

a = 11 (mod 26). 

We can then replace a with 11 in one of the congruences in (*), then calculate the value 
for b. For example, solving 21 = 4(11) + /? (mod 26) for b yields 

^ 21 - 44 = -23 ^ 3 (mod 26). 

We can then calculate 11', an inverse of 11 modulo m. This we determine quickly to be 

11' ^ 19 (mod 26) 

We can use this value along with b to decrypt a message. If it works, congratulations! If 
not, then our guesses for the mappings of “E” and “T” were incorrect. 

Exhaustive Key Search. Note that using ciphers which map single characters to char- 
acters in this way are simply not practical. If we are using a Caesar cipher with the ordinary 
alphabet, there are only 25 choices for the shift value b, and if we know that an affine cipher 
with the ordinary alphabet is being used, there are only 12 choices for the multiplier and 25 
choices for the shift. A computer could test all of the possible combinations very quickly. 

Monoalphabetic substitution ciphers should never be used. Even if we allow every pos- 
sible character to character mapping in the ordinary alphabet, there are 25! = 
15,511,210,043,330,985,984,000,000 such mappings. (To see this, note that when we map 
the letter “A” to another letter, we have 25 choices, assuming we want to map no letter to 
itself). When we map “B” we have 24 choices remaining (the mapping must be one-to-one; 
no two letters may map to the same letter), and so on. This makes a total of 25 ■ 24 ... 2 ■ 
1 = 25! mappings. (See Table 5.4.) 


TABLE 5.4 



A 

B 

C 

D 

E 

F 

G 

H I 

J 

K 

L 

M 

N 

0 

P 

Q 

R 

S 

T 

U 

V 

W 

X 

Y Z 

2 

2 

2 

2 

2 

2 

1 

1 1 

1 

1 

1 

1 

1 

1 

1 

9 

8 

7 

6 

5 

4 

3 

2 

1 0 

5 

4 

3 

2 

1 

0 

9 

8 7 

6 

5 

4 

3 

2 

1 

0 
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Certainly, 25 ! seems like a huge number (and it is), but even these generalized charac- 
ter-to-character mappings are vulnerable to the same frequency analysis used on Caesar 
ciphers. If enough ciphertext is examined, we can determine what most letters map to, then 
can fill out the rest of the letters by simply guessing. 


THE VIGENERE CIPHER 

As described in Chapter 1 , the Vigenere cipher maps characters to characters based on a key 
which specifies multiple shifts. A key of length « represents a series of shifts • ■ • > V-i- 

The enciphering transformation maps the ith character of the plaintext message P = p^, p^, 
. . . , Pi^i to the ith ciphertext character of the ciphertext message C = Cq, Cj, . . . , in this 
way: 

Cj = Pi + Sr (mod m) (0 < c,- < m, 0 < i < f) 

where 

r = i (mod n) (0 < r < n). 


I£xAMPLE. For convenience in the following example, we provide a table of character-to- 
number associations for the ordinary alphabet. (See Table 5.5.) 

We will use the ordinary alphabet, and the keyword SPACE representing the shifts s^ = 
18, = 15, ^2 = 0, S3 = 2, and J4 = 4. The plaintext message is 

DANGER WILL ROBINSON. 

So using the Vigenere transformation, we compute the following (see Table 5.6). 

Thus, the ciphertext message (grouped in blocks of 5 characters) is 

VPNII JLINP JDBKR KDN 

Vigenere ciphers fall prey to frequency analysis, just like monoalphabetic substitution 
ciphers. See Chapter 1 to see how this is done. 

To get around the weaknesses posed by ciphers which map single characters to single char- 
acters, we may wish to construct mappings that deal with entire blocks of characters. There 
are certainly many more ways to construct such a mapping; these are called block ciphers. 


ABCDEFGH I JKLMNOPQRSTUVWXYZ 


0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 


TABLE 5.5 Table of character-to-number associations for the ordinary 
alphabet 
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TABLE 5.6 



5.6 BLOCK AFFINE CIPHERS 

We construct an affine transformation that maps four-letter blocks to other four-letter blocks. 
We will call this a block affine cipher. Suppose we are using the numerical alphabet 00, 01, 
. . . , 99, and suppose the numerals 00 through 25 represent the letters A through Z, respec- 
tively. (For now, we’ll just say that 26 through 99 are unassigned; the reason we’ve extended 
the ordinary alphabet in this way will become clear soon.) The message to send (in charac- 
ters) is 


HOWDY DOO 
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First, regroup the letters into blocks of size four, 

HOWD YDOO 

and convert each letter into its numerical equivalent, grouping the digits together to form a 
large integer. Each character gets two digits; A = 00, B = 01, and so on. Leading zeros are 
significant. 

07142203 24031414 

Note that the largest integer which can appear in a block of size four in the ordinary 
alphabet is ZZZZ = 25252525. Thus, we will choose 25252526 as our modulus. To construct 
an affine cipher mapping, 

C^mP + b (mod 25252526) 

we choose any shift b between 1 and 25252525, and any multiplier m relatively prime to 
25252526. Say we choose b = 23210025 and m = 21035433. (Verify that this choice of m 
is relatively prime to 25252526.) We use these values to map each block to another. For the 
first block we get 

C ^ 21035433 ■ 7142203 + 23210025 = 150239355888924 ^ 8007496 (mod 25252526) 
and for the second we compute 

C ^ 21035433 • 24031414 + 23210025 = 505511222302287 ^ 20470469 (mod 

25252526). 

This gives us the enciphered message 
08007496 20470469 

and this is the message that is sent. Note that no digit pair greater than 25 has an equivalent 
in the ordinary alphabet, and the digit pairs 74, 96, 47, and 69 all appear in the above mes- 
sage. (Now you can see why we took 00, 01, . . . , 99 as our alphabet.) Note that if there are 
less than eight digits in the block, we add leading zeros. To decrypt, we must find an inverse 
modulo 25252526 of m = 21035433. A quick computation with the extended Euclidean 
algorithm reveals m' = 5174971. Using this value and the congruence 

P = m'(C — b) (mod n) 

we can convert the first enciphered block back to its plaintext form, 

p ^ 5174971(8007496 - 23210025) ^ 7142203 (mod 25252526) 
and then the second 

p ^ 5174971(20470469 - 23210025) ^ 24031414 (mod 25252526) 
which returns us to our plaintext message 


HOWD YDOO 
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5.7 WEAKNESSES OF THE BLOCK AFFINE CIPHER-KNOWN 
PLAINTEXT ATTACK 

This cipher, though not vulnerable to frequency analysis, is vulnerable to a different kind 
of attack, called a known plaintext attack. This is when the cryptanalyst has both the cipher- 
text and the corresponding plaintext for a particular message. (This is not so unlikely; one 
plaintext message getting into enemy hands is good enough for this to work. We always 
assume that the cryptanalyst has easy access to every ciphertext message.) Say the analyst 
has ciphertext blocks Cj and C 2 , and their corresponding plaintext blocks Pj and P 2 - These 
values are known, and it is only left to calculate m and b from the two congruences 

Cl = mPi -I- b (mod n) 

C 2 = mP 2 -I- b (mod n). 

We assume that the block size, and hence the value of the modulus, is also known to the 
cryptanalyst. (If not, it shouldn’t be hard to figure out simply by trying different values.) 

I£xAMPLE. Suppose we use the message HOWDY DOO, as previously presented, with the 
same values for the multiplier m = 21035433 and shift b = 23210025. Suppose someone 
eavesdrops on our transmission and easily gets the ciphertext 

08007496 20470469. 

But somehow, through devious means he also gets the plaintext message 

HOWDY DOO 
or 

07142203 24031414. 

To obtain the values for m and b, he must simply solve the two congruences 
8007496 ^ 7142203 m + b (mod 25252526) 

20470469 ^ 24031414 m + b (mod 25252526) 
for m and b. He subtracts the first congruence from the second to get 
12462973 = 16889211 m (mod 25252526) 

which he can solve quickly to get m = 21035433 (mod 25252526). Replacing m in the first 
congruence with 21035433, he gets 

8007496 ^ 7142203 ■ 21035433 h- b (mod 25252526), 
which is then easily solved for b to yield 
^ b^ 23210025 (mod 25252526). 


Though a known plaintext attack may be thought unlikely, especially by egomaniacs 
running a “secure” facility, it is dangerous to use block affine ciphers for this reason, even 
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though they are used in many applications today. Thus, we continue to develop better enci- 
phering methods. However, before we move on to the next topic, we need to address the topic 
of padding. 


PADDING METHODS 

Note that when we use block ciphers, the size of the message we are sending may not be a 
multiple of the block size. For example, when we are using a block size of four, 

HOWDY DOO = HOWD YDOO 

is a perfect multiple of the block size, but 

HOWDY POLKS = HOWD YPOL KS 

is not. When this happens, we must pad the end of the message so that it becomes a perfect 
block. We may choose to pad with some character, such as the letter X, as in 

HOWD YPOL KSXX 

or we may pad with zeros once we have converted the message into its numerical equiva- 
lent, like 

07142203 24051411 10180000 . 

This is not really satisfactory, as the characters or digits that we choose to pad with may 
well be a valid part of the message, and not padding at all. This might possibly create con- 
fusion at the receiving end. One solution to this problem is PKCS#5, a proposed standard 
method of padding. 

PKCS#5 Padding. This type of padding works like this: suppose the block size is 64 
bytes, and the message is 125 bytes long. This makes 1 complete block, plus 61 bytes, 3 bytes 
short of a full block. To complete the block, we append 3 bytes, each containing the num- 
ber 3, as seen in Figure 5.3 (in binary): 

FIGURE 5.3 Message Padding 


0000001 1 0000001 1 0000001 1 


The message is now encrypted, and sent. On the receiving end, the message is decrypted. 
The last block is inspected, and the last 3 bytes, each containing the number 3, are removed. 
In general, if our message is N bytes short of a full block, we append N blocks, each con- 
taining the number N. 

What if our last block is complete? With PKCS#5, we add padding anyway! If our block 
size is 64 bytes, and our message is 128 bytes, we will still append 64 bytes (each byte con- 
taining the number 64) to the message! Why is this done? Suppose the message being sent 
is an exact multiple of the block size. Now, suppose the last 6 bytes of the message happen 
to contain the number 6. How is the receiver to know whether this is padding or part of the 
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FIGURE 5.4 


message? She doesn’t. This is why we append an entire block to messages that are already 
perfect multiples of the block size. 

Note that PKCS#5 padding has a limitation: It cannot be used for ciphers in which the 
ciphertext block size exceeds 255 bytes. This should be simple to see if you note that each 
byte of padding in PKCS#5 contains a binary number revealing the number of bytes of 
padding. Clearly, 111111 1 l(base 2 ) = 255 is the largest number we can write in a byte, so a com- 
plete block of 255 bytes would be padded as shown in Figure 5.4. 


(message) 11111111 I 

I 11111111 







255 bytes of padding 


Java Algorithm. Block ciphers are difficult to write, not because the enciphering trans- 
formations are any more difficult, but because you must pad/unpad and block/unblock the 
messages. To do all this, we will write a Ciphers class; it will contain methods to do all the 
blocking and padding activities, and methods to encipher and decipher using various trans- 
formations. The first will be the block affine transformation. For better readability (hope- 
fully), the explanation for the code is interspersed with the code: 

import j ava . math . * ; 

public class Ciphers { 

The following is the padding method. You pass in the message and the block size. It 
computes the number of blocks, then pads using the PKCS#5 scheme. This means padding 
is added even if the message is a perfect multiple of the block size. It also means that any 
ciphers using this method are effectively limited to a maximum block size of 255 bytes. 

private static bytef] pad(byte[] msg.int blocksize) { 

//Check that block size is proper for PKCS#5 padding 
if (blockSize<l I I blockSize>2 55 ) throw new 

IllegalArgumentException ( "Block size must be between 1 and 255."); 

//Pad the message 

int numberToPad=blockSize-msg . length%blockSize; 
byte[] paddedMsg=new byte[msg.length+numberToPad]; 

System. arraycopy (msg, 0,paddedMsg, 0,msg. length) ; 

for (int i=msg . length; i<paddedMsg . length; i++ ) paddedMsg [i ] = (byte) numberToPad; 
return paddedMsg; 

} 

This method takes a padded message, then converts it to a 2-dimensional byte array. 
Each “vector” in this 2D array is a block. The enciphering methods will work with this 2D 
array. 
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private static bYte[][] block{byte[] msg,int blocksize) { 

//Create a 2D array of bytes corresponding to the message-all blocks should be 
//full 

int numberOfBlocks=msg . length/blockSize; 
byte[] [] ba=new byte [numberOf Blocks] [blocksize]; 
for (int 1=0 ; i<numberOfBlocks ; i++) 
for (int j=0; j<blockSize; j++) 
ba[i] [ j ] =msg [i*blockSize+j ] ; 
return ba; 


This method “unblocks” the message; that is, after the enciphering or deciphering trans- 
formation, it takes the 2D array of blocks, then converts it back to a linear array of bytes. 
The method must be careful to take into account that the enciphering or deciphering trans- 
formation may produce an integer smaller than the block size. In that case, it fills in the lin- 
ear array from the rear of the block. 

private static bytel] unBlock (byte [ ] [ ] ba,int blocksize) { 

//Create the ID array in which to place the enciphered blocks 
byte[] m2=new byte [ba. length*blockSize] ; 

//Place the blocks in the ID array 
for (int i=0 ; i<ba . length; i++) { 
int j =blockSize-l ; 
int k=ba [i] . length-1 ; 
while (k>=0) { 

m2 [i*blockSize+j ] =ba [i] [k] ; 

k--; 

j--; 

} 

} 

return m2 ; 


This method removes the padding. All it has to do is examine the numerical value in the 
last block, then remove exactly that many blocks. 

private static bytel] unPadlbytel] msg,int blocksize) { 

//Determine the amount of padding-just look at last block 
int numberOf Pads= (msg [msg . length-1 ] +256 ) %256 ; 

//Chop off the padding and return the array 
bytel] answer=new bytelmsg.length-numberOfPads]; 

System. arraycopy (msg, 0, answer, 0 , answer . length) ; 
return answer; 


} 
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Finally, here are the enciphering and deciphering methods for the block affine cipher. Each 
accepts a message, the block size, and the values of a and b from the enciphering transfor- 
mation 


C = aP + b. 

public static bytel] af fineEncipher (byte [ ] msg,int blockSize, Biginteger a,BigInteger 
b) { 

//Compute the modulus 

Biginteger modulus=BigInteger .valueOf (2 ) .pow(8*blockSize) ; 

//Check the multiplier 

if (! (modulus . gcd{a) . equals (BigIntegerMath. ONE) ) ) throw new 

IllegalArgumentException ( "Enciphering key is not relatively prime to the 
modulus . " ) ; 

byte ba[] [] =block (pad (msg, blockSize) , blockSize) ; 

//Begin the enciphering 
for (int i=0 ; i<ba . length; i++ ) 

ba [i] =getBytes (a. multiply (new Biginteger (ba [i] ) ) .add(b) .mod(modulus) ) ; 
return unBlock (ba, blockSize); 


public static byte[] af fineDecipher (byte [ ] msg, int blockSize, Biginteger a, Biginteger 
b) { 

//Compute the modulus 

Biginteger modulus=BigInteger . valueOf (2 ) .pow(8*blockSize) ; 

//Check the multiplier 

if (! (modulus . gcd(a) . equals (BigIntegerMath. ONE) ) ) throw new 

IllegalArgumentException ( "Enciphering key is not relatively prime to the 
modulus . " ) ; 

//Compute inverse of a 

Biginteger ainv=a .modinverse (modulus ) ; 

byte[] [] ba=block (msg, blockSize) ; 

//Begin the deciphering 
for (int i=0 ; i<ba . length; i++ ) 

ba [i] =getBytes (BigIntegerMath. Inr (ainv. multiply (new 
Biginteger (ba [i] ) . subtract (b) ) , modulus) ) ; 

//Go from blocks to a ID array, and remove padding; return this 
return unPad (unBlock (ba, blockSize) , blockSize) ; 

} 

This following method is necessary. In order to encipher or decipher, at some point we 
convert Bigintegers back into an array of bytes using the toByteArrayO method from the 
Biginteger class. This method, in addition to returning the binary representation of the Big- 
integer, also returns a sign bit in the high order bit position. This can screw up everything 
if the Biginteger already fills up the block; in this case the extra sign bit forces another byte 
to be created. When this happens, we must remove the forward byte. This is never a prob- 
lem for us, as all of the Bigintegers we use are positive; thus the sign bit is always 0. 
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//Method to rectify the extra bit problem of the toByteArray ( ) method 
private static byte[] getBytes (Biginteger big) { 
byte [ ] bigBytes=big . toByteArray ( ) ; 
if (big.bitLength ( ) %8 ! =0) return bigBytes; 
else { 

byte[] smallerBytes=new byte[big.bitLength()/8]; 

System. array copy (bigBytes , 1, smallerBytes , 0 , smallerBytes . length) ; 
return smallerBytes; 

} 

} 


This is the end of the Ciphers class. More methods will be added later, as we develop more 
cryptosystems. 


} 



I have written an applet called TestBlockAffineCipher Applet to test this cipher. The 
applet can be viewed online at the book’s website. Two screen shots are shown in Figures 
5.5 and 5.6. 


FIGURE 5.5 
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FIGURE 5.6 


Block Affine Cipher Demonstration Applet - Micros^ lot 


File Edit View Favorites Tools Help j 



Plaintext 


Ciphertext 

|'OJOay.||0|?/'x 

Block size (in biites): 

fio 

Shift value: 

112345B7890 

Multiplier (must be relatively prime to modulus): 


|987G54321 



Decipher 




EXERCISES 

1. Writing a program to encipher and decipher individual characters using affine trans- 
formations is very easy. All you need do is use a method that computes inverses mod 
n, and the rest is as easy as writing the Caesar cipher. Write a TestAffineCipherApplet 
class which tests the two static methods affineEncipher(), and affineDecipher(). These 
last two methods should accept an array of bytes (a message), along with the enci- 
phering key(s), and return an array of bytes. You must use primitive ints, so you need 
to write a method to compute inverses modulo n for ints. 

2. Encipher, and then decipher, the following messages using Caesar shift transforma- 
tions with the ordinary alphabet, and where the shift b = 23. 

a. KENNEDY IS DEAD 

b. HITLER IN PERU 

c. BIG BROTHER 

3. Repeat the previous exercise but use a single character affine cipher with a multiplier 
of 15 and a shift of 6. 

4. Repeat the previous exercise, but use a block affine cipher with a block size of 4 char- 
acters per block. Use 25252526, the appropriate value for the modulus (using the ordi- 
nary alphabet), and use 1542327 for the multiplier, and 9923411 for the shift. Pad 
messages that are not multiples of the block size with the letter X. 
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In this chapter we will discuss systems of linear congruences. The systems we consider 
will he of two types: 

1 . Multiple linear congruences consisting of several variables, modulo a single modulus. 

2. Multiple linear congruences consisting of a single variable, modulo different moduli. 

Here, we discuss systems of type 1. For these types of systems, you should know how 
to handle systems of equations, as well as matrices. Take the following example of a sys- 
tem of linear congruences with multiple variables modulo a single modulus: 

5x + 3y + 2z= 2 (mod 7) 

3x + 4y + 6z = 1 (mod 7) (*) 

2x + y + z = 4 (mod 7) 


6.1 MODULAR MATRICES 


Note that we can write this in matrix notation as AX = B (mod 7) where A is 


X is the column vector 


and B is the vector 


5 3 2 
3 4 6 
2 1 1 

X 

y 

z 


2 

1 

4 
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TABLE 6.1 


where congruence for matrices and matrix multiplication are defined as follows: 


Definition 

We say two kxp matrices A and B are congruent to each other modulo n if each entry 
Qij = bj j (mod n) for i = . ,k,i = , p. 


Examples. Here are some examples of congruent matrices. 


3 

4 


13 

-6 

1 

-8 


21 

2 


(mod 10) 



0 

1 

2 


6 


7 

8 



1 

1 

1 

= 

-2 


-5 

1 

(m 


2 

0 

0 


11 


9 

15 


6 

5 

4 

3 


0 - 

-1 


-2 

-3 

0 

0 

6 

4 


0 - 

-6 


0 

-2 

1 

2 

3 

3 

— 

7 

2 


-3 

-9 

0 

0 

1 

7 


6 

0 


-5 

1 


(mod 6) 


Definition 

If A is an m X n matrix, and B is an nXp matrix, the matrix product C = AB is the mXp 
matrix 



^1,1 

Cl. 2 • 



C2A 

C2,2 



^m, 1 

^m,2 

^m,p 

where the i,jth entry of C is Xa, iBj^j 

1,2, . . . 


This simply means we multiply the entries of the ith row of A hy the entries of the jth col- 
umn of B, then sum them up to get the i, /th entry of C = AB. This also means, of course, 
that the number of columns of the first matrix must be the same as the number of rows in 
the second matrix. An example illustrating this process is shown in Table 6.1. 

To use matrices to solve linear systems of congruences, we must determine whether or 
not the operations we use for ordinary matrices representing systems of equations still hold 


12 5 1 


3 

1 

3 


Q 1*1+2*7+5*1+1*2=22 H 

2 4 0 0 


1 

7 

0 









10 30 6 



1 
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for matrices when used for congruences. Recall from linear algebra the three basic row 
operations that are permitted on matrices; we will modify these rules slightly: 

1. Any two rows may be exchanged. 

2. Any row may be multiplied by a nonzero scalar. 

3. A multiple of any row may be added to another row. 

We redefine the three elementary row operations for matrices used to represent a system 
of congruences: 


Definition 

The three elementary row operations for matrices modulo n are: 

1. Any two rows may be exchanged. 

2. Any row may be multiplied by an integer scalar relatively prime to the modulus. 
(Call this a multiple of a row.) 

3. A multiple of a row may be added to another row. 


We will show now that when the elementary operations are defined this way, they do not 
affect the solutions to a system of congruences. 

PROPOSITION 23. When matrices are used to represent a system of linear congru- 
ences, the three elementary row operations for matrices do not affect the solution(s) of the 
corresponding system of congruences modulo n. 


Proof. Operation 1 clearly still holds if the matrices are representing congruences, for 
switching the order of the congruences in a system does not affect the solution. If scalars 
are always understood to be integers, then multiplying both sides of a congruence by a scalar 
that is relatively prime to the modulus will not alter the solution. To see this, consider the 
congruence 

acx + bey = dc (mod n) ($) 

where c is relatively prime to n. Suppose x = x' ,y = y' is a solution to this congruence; that 
is, 

acx' + bey' = dc (mod n). 

Then we have 


ax' + by' = d (mod n) 

by Proposition 21, and so x = x' ,y = y' is also a solution to the congruence 

ax + by = d (mod n). ($$) 

Clearly, the reverse is also true: lfx = Xo,y = y^ is a solution to ($$), then it is also a solu- 
tion to ($). So, the solutions to ($) and ($$) are identical when (c, n) = 1, so operation 2 also 
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holds for matrices representing congruences, provided the scalar multiple is relatively prime 
to the modulus. Lastly, it is clear from proposition 20 that operation 3 is still valid for matri- 
ces when they are used to represent congruences. Proposition 20 says we can add congru- 
ent items to both sides of a congruence without changing the congruence. ■ 


Thus, we can solve the previous system (*) using elementary row operations on the aug- 
mented matrix. We will attempt to produce an upper triangular matrix, then use back sub- 
stitution to obtain values for the variables. When this is done using matrices defined over 
the real numbers it is called Gaussian elimination; we may as well call it that in this setting, 
too. 

5 3 2 2 
3 4 6 1 
2 114 

The augmented matrix A\B. 

5 3 2 2 

6 15 2 

2 114 

Multiply second row by 2; all operations are done modulo 7 and the least nonnegative 
residue is retained. 

5 3 2 2 
0 5 2 4 
2 114 

Subtract 3 times third row from second row. 

5 3 2 2 
0 5 2 4 
5 6 6 3 

Multiply third row by 6. 

5 3 2 2 
0 5 2 4 
0 3 4 1 

Subtract first row from third row. 

5 3 2 2 
0 5 2 4 
0 5 2 4 


5 3 2 2 
0 5 2 4 
0 0 0 0 


Multiply third row by 4. 



6.2 Modular Matrix Inverses 1 29 


Subtract second row from third row. Here we obtain a row of all zeros (mod 7), so we can- 
not get a unique solution in this case. (Here, of course, we take a unique solution to mean 
that all other solutions are congruent to it). 

12 6 6 
0 16 5 
0 0 0 0 

Multiply both the first and second rows by 3, an inverse of 5 modulo 7. This gives the fol- 
lowing solutions for the system: 

y = — 6z -I- 5 = z H- 5 (mod 7), and 

X = —2y — 6z + 6 = 5yH-z + 6 = 5(z-i-5)-t-z + 6 = 6z + 25H-6 = 6z + 3 (mod 7). 

If we allow z to range from 0 through 6, we can list all of the incongruent solutions to 
this system. They are presented in Table 6.2, and you are asked to recompute each solution 
and to verify each of them. 

The preceding example teaches us an important lesson: that systems of congruences may 
have multiple solutions due to linear dependence, as it is in linear algebra. Of course, when 
dealing with congruences, we have finitely many incongruent solutions, rather than infi- 
nitely many solutions as when dealing with systems of equations defined over the real num- 
bers. 

6.2 MODULAR MATRIX INVERSES 

Later on it will be useful for us to be able to obtain the inverse of a square mXm matrix A 
modulo n. That is, we will wish to find the matrix M such that MA = AM = I (mod n), 
where I is the mXm identity matrix. 


1 

0 

0 

... 0 

0 

1 

0 

... 0 

0 

0 

1 

... 0 

0 

0 

0 

0 1 


Of course, an inverse modulo n of a matrix A may not exist, but when it does, we denote 
it as A'. We should be able to find it by forming the augmented matrix A 17, and using 
Gauss-Jordan elimination with elementary row operations. We illustrate how this will be 
done with an example; we will attempt to find an inverse modulo 5 of the 2X2 matrix A, 
which is 

1 4 

2 2 


TABLE 6.2 


X 

3 

2 

1 

0 

6 

5 

4 

y 

5 

6 

0 

1 

2 

3 

4 

z 

0 

1 

2 

3 

4 

5 

6 
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Specifically, we are looking for a matrix A' such that 

A'A^AA' =/(mod 5). 

We begin by joining the matrix A with the 2X2 identity matrix. 


The augmented matrix A\I. 


Subtract twice the first row from the second row. All operations are done modulo 5, and the 
least nonnegative residue is retained. 


Subtract the second row from the first row. 


Multiply the second row by 4, an inverse of 4 modulo 5. Now, we have A', an inverse of A 
modulo 5 ; it is the matrix 


1 

4 

3 

4 

1 0 

2 

2 

2 

4 “ 

0 1 


To verify that this is an inverse of A modulo 5, take the product AA' (you could also take 
A'A), and verify that you get the 2X2 identity matrix. We do this here: 


(mod 5) 


Now that we have discussed finding inverses, we discuss how they may be used. When 
an inverse modulo n of a square matrix A exists, it is quite useful in solving linear systems 
of congruences, for if 

AX = B (mod n), 

then by finding A', an inverse of A modulo n, we can find the solutions by multiplying both 
sides of the congruence by A': 

A' AX = A' B (mod n). 

The left-hand side of the above simplifies to 

A'AZ =1X = X (mod n), 

which then yields 

X = A'B (mod n). 
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The matrices A' and B are both known; we simply take the product A 'B modulo n to get 
our solutions for X. (Note: Linear algebra says that when I is the identity matrix, IX = X, so 
certainly IX = X (mod n).) 


Example. Find the solutions to AX = B (mod 5) by finding A' where A is the matrix 


X is the vector 


1 4 

2 2 


and B is the vector 

3 
2 

We already found the inverse A' of A modulo 5 earlier; it is the matrix 

3 4 
2 4 

and to use it to find X, we simply take the product A'B: 

(mod 5) 

We now verify that x = 2 (mod 5) and y = 4 (mod 5) is actually a solution to the system 
of congruences 

X + 4y = 3 (mod 5) 

2x + 2y = 2 (mod 5). 


3 4 

3 


17 


2 

2 4 

2 


14 


4 


Substitution reveals 


and the solution checks. 


2 + 4- 4= 18 ^3 (mod 5) 
2-2 + 2- 4=12 = 2 (mod 5) 


You may have noticed something amiss in multiplying both sides of the congruence 
AZ = B (mod n) by some matrix A' in order to solve for X. Namely, how do we know that 
multiplying both sides of a matrix congruence by a matrix preserves the congruence? That 
is, if two nXk matrices A and B are such that A = B (mod m), is it true that AC = BC (mod 
m) for any kXp matrix C, and that DA = DB (mod m) for any qXn matrix D7 The next 
proposition shows that this is the case, and thus vindicates our seeming recklessness. 


PROPOSITION 24. Suppose two nXk matrices A and B are such that A = B (mod m) . Then 
AC = BC (mod m) for any kXp matrix C, and DA = DB (mod m) for any qXn matrix D. 
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Proof. Suppose the matrices are as stated. Note that the ijth entries in the product matri- 
ces AC and BC are Xa, ,c, j and X&, ,c, j, respectively. Since A = B (mod m), we have a, , = 
fc, t (mod m) V i and f, and so 

Sfl;, ,c,^j = Xfo,- (mod m) 

by proposition 20, which says congruent items (mod m) can be added to both sides of a 
congruence (mod m) and preserve the congruence. Thus, AC = BC (mod m). The proof that 
DA = BA (mod m) is nearly identical to the previous; you are invited to do it. ■ 

Java Algorithm. In this chapter we discussed modular arithmetic and congruences for 
matrices. This is a perfect opportunity to define a useful class for these purposes. We can 
call it the ModMatrix class; it represents a matrix whose elements are all taken modulo m. 

ModMatrix objects need not be square; we will define how to add, subtract, and multi- 
ply them. There will be exceptions thrown if the matrices are of the improper size. Of course, 
matrices are not invertible unless they are square (and sometimes not even then), so we will 
develop a subclass of ModMatrix called ModSquareMatrix. It will have the appropriate 
methods for inverting matrices. Finally, we will also define a ModIdentityMatrix class, 
which extends ModSquareMatrix. 

First, the ModMatrix class: its data items will consist of a two dimensional array of Big- 
Integers, a Biginteger representing the modulus, and ints to record the number of rows and 
number of columns in the matrix. 

import j ava. math. Biginteger ; 
import java. security. * ; 
public class ModMatrix { 

//A ModMatrix is a 2D array of Bigintegers 
Biginteger [][ ] array; 

//Number of columns/rows recorded here 
int numRows, numCols; 

//The modulus of the ModMatrix 
Biginteger modulus; 

The ModMatrix constructors are of different types. The first produces either a matrix of 
all zeros or of random entries, the second reads a one-dimensional array into a two-dimen- 
sional matrix, and the third simply copies another matrix. The last constructor is the default 
constructor, which accepts no arguments. It does nothing, but is used by the subclasses we 
define. 

//Creates a matrix with random entries having r rows, c columns, 

//Or, it creates a matrix of all zeros 

//Matrices start indexing at 1,1. Zeroth column and row are not used, 
public ModMatrix ( int r,int c, Biginteger m, boolean makeZero) { 

SecureRandom sr=new SecureRandom ( ) ; 
modulus=m; 

array=new Biginteger [r+1] [c+1] ; 
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nuinRows=r ; 
numCols=c; 

for (int i=0 ; i<r ; i + + ) { 

for (int j=0; j<c; j++) { 

//If makeZero set to true, make the zero matrix 
if (makeZero) array [i+1] [j+1] =new Biginteger { "0" ) ; 

//otherwise, make matrix with random entries 
else array [i+1] [j+1] =new 
Biginteger (modulus .bitLength ( ) , sr) .mod (modulus ) ; 

} 

} 

} 

//Creates a matrix getting its values from the ID array a. 

//If array is not long enough to fill matrix, zeros are used, 
public ModMatrix { int r,int c , Biginteger [ ] a, Biginteger m) { 
modulus =m; 

//Make the 2D array larger than specified-indices start at 1,1 
array=new Biginteger [r+1] [c+1] ; 
numRows=r ; 
numCols=c; 

for (int i=0 ; i<r ; i++ ) { 

for (int j=0; j<c; j++) { 
int pos=i*c+j; 

//Set values for the matrix from the array 
if {pos<a.length&&a[pos] !=null) 

array [i+1] [j+1] =BigIntegerMath. Inr (a [pos] ,m) ; 

//If we have run out of input from the array, fill rest of matrix 
//with zeros 

else array [i+1] [j+l]=new Biginteger { "0" ) ; 


//Makes a copy of another ModMatrix 
public ModMatrix (ModMatrix m) { 

array=new Biginteger [m.numRows+1] [m.numCols+1] ; 

numRows =m . numRows ; 

numCols=m. numCols ; 

modulus =m . modulus ; 

for (int i=l ; i<=m. numRows ; i++ ) { 

for (int j =1 ; j<=m.numCols ; j ++ ) { 

array [ i ] [ j ] =new Biginteger (m . array [ i ] [ j ] . toStr ing ( ) ) ; 

} 

} 

} 



1 34 Chapter 6 Systems of Linear Congruences — Single Modulus 


//This is the default constructor; it does nothing-required for subclass 
public ModMatrixO {} 

The methods of this class must provide us with the ability to retrieve the number of rows 
or columns, the modulus, and individual elements in the matrix. We should also be able to 
set entries in the matrix. Thus, the following methods are provided. 

//Methods declared here-get rows or columns or modulus of the ModMatrix 

public int rows { ) {return numRows;} 

public int columns ( ) {return numCols;} 

public Biginteger getModulus {) {return modulus;} 

//Allows one to retrieve an element. 

public Biginteger getElement { int row, int column) {return array [row] [column] ; } 

//Allows one to set the value of an element-least nonnegative residue always used 
public void setElement (int row, int column, Biginteger value) { 
array[row] [column] =BigIntegerMath. Inr (value, modulus) ; 

} 

These are the methods that will be most useful; those that add, subtract, and multiply two 
matrices. The least nonnegative residue modulo m is always maintained. 

//Adds two matrices together and returns result. 

public ModMatrix add (ModMatrix m) throws MatricesNonConformableException { 

ModMatrix result; 

//Matrices must be the same dimensions and have same modulus to be added 
//together 

if ( Imodulus . equals (m. modulus) ) throw new MatricesNonConformableException 
("These matrices cannot be added; different moduli."); 
if (numRows==m.numRows&&numCols==m.numCols) { 

//Make a new ModMatrix for the sum-start with zero matrix 
result=new ModMatrix (numRows , numCols , modulus , true) ; 

//Add i,j-th entries of each to get i,j-th entry of result 
for (int i=l ; i<=numRows ; i++ ) { 

for (int j=l; j<=numCols; j++) { 

result . array [i] [ j ] =BigIntegerMath. inr (array [i] [ j ] . add (m. array [i] [ j ] ) .modulus) ; 

} 

} 

} else throw new MatricesNonConformableException 
("These matrices cannot be added; different dimensions."); 
return result; 

} 

//Subtracts 2nd matrix from 1st and returns result. 
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public ModMatrix subtract (ModMatrix m) throws MatricesNonConformableException { 
//Multiply the 2nd matrix by the scalar -1 then add them-see 
/ /multiply (Biginteger) method 

return this . add (m. multiply (new Biginteger (" -1 "))) ; 

} 

//Multiplies two matrices. 

public ModMatrix multiply (ModMatrix m) throws MatricesNonConformableException { 
ModMatrix result ; 

//Both matrices must be using the same modulus 

if ( (modulus. equals (m. modulus) ) throw new MatricesNonConformableException 
("These matrices cannot be multiplied; different moduli."); 

//If # rows in 2nd matrix = # columns in 1st matrix, they can be multiplied 
//together 

if (m.numRows==numCols) { 

result=new ModMatrix (numRows , m. numCols , modulus , true) ; 

//Move down the rows in outer loop 
for (int i=l ; i<=numRows ; i++ ) { 

//Multiply i-th row of 1st by j-th column of 2nd 
for (int j =1 ; j<=m.numCols ; j ++ ) { 

//Start the i,j-th entry of result at zero 
result . array [i] [j]=new Biginteger ( "0" ) ; 

//i,j-th entry is sum of i,k-th entry of 1st times k,j-th 

//entry of 2nd for all k 

for (int k=l ; k<=m. numRows ; k++) 

result .array [i] [ j ] =BigIntegerMath. Inr 
(result . array [i] [ j ] . add ( array [ i ] [k] .multiply (m. array [k] [ j ] ) ) .modulus) ; 

} 

} 

} else throw new MatricesNonConformableException 
("These matrices cannot be multiplied!"); 
return result; 

} 

//Multiplies a matrix by a scalar. 

public ModMatrix multiply (Biginteger scalar) { 

ModMatrix result=new ModMatrix (numRows , numCols , modulus , true) ; 
for (int i=l ; i<=numRows ; i++ ) 
for (int j=l; j<=numCols; j++) 

//Multiply i,j-th entry by the scalar 

result .array [i] [j ] =BigIntegerMath. Inr (array [i] [j] .multiply ( scalar ) .modulus) ; 
return result; 


} 
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Many of the methods of ModMatrix throw a MatricesNonConformableException; this 
means the matrices were simply of the wrong dimensions to do the operation. 

public class MatricesNonConformableException extends Exception { 
public MatricesNonConformableException ( ) {superO;} 
public MatricesNonConformableException (String s) {super (s);} 

} 



The following test applet, called TestModMatrixCalculatorApplet, just verifies that the 
arithmetic methods as we have defined them actually work. It is a calculator for modular 
matrices. The applet and its source code can he found on the book’s website. A screen shot 
is shown in Figure 6. 1 . 

The ModSquareMatrix inherits all methods from the ModMatrix class, and supplies other 
methods to do Gaussian elimination modulo n. It also uses these same methods to produce 
an inverse modulo n. Of course, if the Gaussian elimination fails an exception will be thrown; 
namely, either a SingularMatrixException or an ArithmeticException. The gaussianSolve() 
method I have written here only works when the modulus is prime; you will be asked in the 
exercises to modify the method so that it works with a composite modulus. 


public class SingularMatrixException extends Exception { 
public SingularMatrixException ( ) {superO;} 
public SingularMatrixException (String s) (super (s);} 

} 


The ModSquareMatrix class definition follows; 

import java .math. Biginteger; 
import j ava . security . * ; 
import j ava. util ; 

//ModSquareMatrix objects inherit all methods from ModMatrix 
public class ModSquareMatrix extends ModMatrix { 


//Creates a square matrix with random entries 
//Or, it creates a matrix with all zeros 


FIGURE 6.1 
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//Another parameter specifies whether or not you wish the random 
//matrix to be invertible; if NOT, matrix may stiil be invertibie by accident 
public ModSguareMatrix { int s,Biglnteger m, boolean makeZero, boolean 
makeinvertible) 

throws MatricesNonConformableException { 

//Call a superconstructor from ModMatrix-make the zero matrix, 

// or a matrix with random entries 
super (s, s,m, makeZero) ; 

//Zero matrix is not invertible 

if (makeZero&&makeInvertible) throw new IllegalArgumentException 
("Zero matrix cannot be inverted!"); 

//A random invertible matrix is desired 
if (makeinvertible) { 

Random r=new Random ( ) ; 

SecureRandom sr=new SecureRandom ( ) ; 
boolean done=false; 

//Do this until the matrix inverts 
while (Idone) { 
try { 

//Try to take the inverse-may throw an exception if not 

//invertible 

this . inverse ( ) ; 

done=true; 

} catch (SinguiarMatrixException sme) { 

//Change a random entjry in the matrix 
int row=Math . abs (r . next Int ( ) ) %numRows+l ; 
int col=Math. abs (r . next Int ( ) ) %numCols+l ; 

Biginteger value=new 

Biginteger (modulus .bitLength ( ) ,sr) .mod (modulus ) ; 
this . setEiement (row, col , value) ; 

} catch (ArithmeticException ae) { 

//Change a random entry in the matrix 
int row=Math. abs (r . next Int ( ) ) %numRows+l ; 
int col=Math . abs (r . next Int ( ) ) %numCols+l ; 

Biginteger value=new 

Biginteger (moduius .bitLength ( ) ,sr) .mod (modulus ) ; 
this . setEiement (row, col , value) ; 

} 

} 

} 

} 
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//Makes a square matrix from a ID array of values 
public ModSguareMatrix ( int s , Biginteger [ ] a,BigInteger m) { 
super (s, s,a,m) ; 

} 

//Makes a copy of a matrix 

public ModSguareMatrix (ModSguareMatrix m) { 

array=new Biginteger [m.numRows+1] [m.numCols+1] ; 

numRows =m . nuttiRows ; 

numC o 1 s =m . numC o 1 s ; 

modulus =m . modulus ; 

for (int i=l ; i<=m. numRows ; i++) { 

for (int j=l ; j<=m. numCols ; j ++) { 

array [i] [ j ] =new Biginteger (m. array [i] [ j ] . toString ( ) ) ; 

} 

} 


//Method which uses Gaussian elimination to solve AX=B mod m for X 

//A is the ModSguarematrix calling the method 

//B is the Modmatrix constants - need not be a Vector 

//X is the ModMatrix returned 

public ModMatrix gaussianSolve (ModMatrix constants) throws 
MatricesNonConformableException, SingularMatrixException { 

//This method only works when the modulus is prime 

if ( (modulus . isProbablePrime (16) ) throw new IllegalArgumentException 

("Gaussian elimination method currently requires modulus to be prime!") 
//Gopy the matrices and modify the copies 
ModSquareMatrix mat=new ModSguareMatrix ( this ) ; 

ModMatrix b; 

//If the ModMatrix constants is square, the answer should also be a 
//ModSquareMatrix object 
//(not just a ModMatrix) 

//Gheck for this here 

if (constants instanceof ModSquareMatrix) 

b=new ModSquareMatrix ( (ModSquareMatrix) constants) ; 
else b=new ModMatrix(constants) ; 

//Gheck if matrices are of compatible size first 

if ( b. numRows ! =mat .numRows) throw new MatricesNonConformableException 
("Matrix of coefficients and matrix of constants have different # of rows! 

//Work the rows, starting with the first row 

int currentRow=l ; 

while (currentRow<=mat .numRows) { 
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int i=currentRow; 

//Make sure diagonal element is nonzero, if possible, by swapping 
while 

( i<=mat .numRows&&mat . array [ i] [currentRow] . equals (BigIntegerMath . ZERO) ) 
i + + ; 

if ( i>mat . numRows ) throw new SingularMatrixException 
("Linear dependence exists here!"); 

//Swap with a row not having zero in diagonal position 
if ( currentRow !=i) swapRows (mat , b, currentRow, i ) ; 

//Now, you must produce all zeros below and above the diagonal element 

i=l; 

//Multiply each row by the proper scalar 
while (i<=mat .numRows) { 
if (i ! =currentRow) { 

Biginteger scalar=mat . array [ i] [currentRow]; 
if ( Iscalar. equals (BigIntegerMath. ZERO) ) { 

multiplyRow(mat,b, i, mat. array [currentRow] [currentRow] ) ; 
multiplyRow(mat,b, currentRow, scalar) ; 

//Replace row i with row i minus diagonal row 
subtractRow(mat,b, 1, currentRow) ; 

} 

} 

i + + ; 

} 

currentRow++ ; 

} 

//Now, produce I's along main diagonal by multiplying by an inverse 
for ( int index=l ; index<=mat . numRows ; index++ ) { 

multiplyRow (mat , b, index, mat . array [ index] [index] .modinverse (modulus ) ) ; 

} 

//Remember, b may be a square matrix-polymorphism takes care of this here 
return b; 

} 

//This method exists in case the answer is actually a square matrix 
public ModSquareMatrix gaussianSolve (ModSquareMatrix constants) 

throws MatricesNonConformableException, SingularMatrixException { 
return (ModSquareMatrix) gaussianSolve ( (ModMatrix) constants ) ; 

} 

//Used by gaussianSolve to multiply a row by some scalar 

private void multiplyRow (ModSquareMatrix mat , ModMatrix b,int i, Biginteger 
scalar) { 

//Multiplies row i by scalar-answer replaces i-th row 
for (Int k=l ; k<=mat . numCols ; k++) 

mat. array [i] [k] =BigIntegerMath. Inr (mat .array [1] [k] .multiply (scalar) , mat .modulus ) ; 



140 Chapter 6 Systems of Linear Congruences — Single Modulus 


for (int k=l ; k<=b .numCols ; k++ ) 

b.arraY[i] [k] =BigIntegerMath. Inr (b. array [i] [k] .multiply (scalar ) , mat . modulus ) ; 

} 

//Used by gaussianSolve to subtract one row from another 
private void subtractRow(ModSquareMatrix mat , ModMatrix b,int i,int j) { 
//Subtracts row j from row i; answer replaces row i 
for (int k=l ; k<=mat .numCols ; k++ ) 

mat. array [i] [k] =BigIntegerMath. Inr (mat . array [i] [k] . subtract (mat . array [j ] [k]),mat. 
modulus) ; 

for (int k=l ; k<=b .numCols ; k++ ) 

b.arraY[i] [k] =BigIntegerMath. Inr (b. array [i] [k] . subtract (b. array [j ] [k] ), mat .modulus) 

} 

//Used by gaussianSolve to swap two rows 

private void swapRows (ModSguareMatrix mat, ModMatrix b,int rl,int r2) { 

Biginteger temp; 

for (int j =1 ; j<=mat . numCols ; j ++ ) { 
temp=mat . array [rl] [j] ; 
mat . array [ r 1 ] [ j ] =mat . array [ r 2 ] [ j ] ; 
mat . array [ r2 ] [ j ] =temp ; 

} 

for (int j=l; j<=b. numCols; j++) { 
temp=b. array [rl] [j] ; 
b . array [ r 1 ] [ j ] =b . array [ r 2 ] [ j ] ; 
b . array [ r2 ] [ j ] =temp ; 

} 

} 

//Method produces an inverse of A (if possible) by using gaussianSolve on AX=I 
//mod m 

//where I is an identity matrix 
public ModSguareMatrix inverse]) throws 
MatricesNonConformableException, SingularMatrixException { 

//See the ModidentityMatrix class-subclass of ModSguareMatrix 
return gaussianSolve (new ModidentityMatrix (numRows , modulus )) ; 

} 

} 

Finally, we define a ModidentityMatrix class, which is a subclass of the ModSquare- 
Matrix class. We use it in the inverse() method of ModMatrix, by generating the augmented 
matrix A\I to produce an inverse of A. 

import java.math.BigInteger; 

//ModidentityMatrix objects inherit all methods from ModSguareMatrix, and from 
ModMatrix 
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FIGURE 6.2 



public class ModldentityMatrix extends ModSquareMatrix { 

//Make a ModSquareMatrix whose diagonal elements are all 1, zeros elsewhere 
public ModldentityMatrix ( int n,BigInteger mod) throws 

MatricesNonConf ormableException { 

//Call a super constructor first, making zero matrix 
super {n,mod, true, false) ; 

//Set the diagonal elements to 1 

for (int i=l ; i<=n; i++) array [ i ][ i ] =new Biginteger ( "1" ) ; 

} 


} 



I have written a test applet called TestLinearSystemSolveApplet to test Gaussian elimi- 
nation modulo m. Consider the congruence AX = B (mod m). The user enters the modulus 
m, the square matrix of coefficients A, and a vector of constants B. If a unique solution X 
exists modulo m, the applet will compute and display it. The applet and its source code can 
be found on the book’s website. A screen shot is shown in Figure 6.2. 


EXERCISES 

1. Solve the following systems of linear congruences, if any solutions exist. For any sys- 
tems that have multiple solutions, report all the solutions. 

a. 2x -I- 5y = 1 (mod 11) 

3x + 2y = 7 (mod 11) 

b. 2x -I- 5y = 1 (mod 11) 

3x -t- 2y = 6 (mod 11) 

c. 4x + 3y + z=2 (mod 7) 
y H- 3z = 5 (mod 7) 

2x + 6y + 3z = 0 (mod 7) 
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d. llx+ 12y + z = 1 (mod 23) 

15x + 20y + 22z ^ 11 (mod 23) 

3 jc + 93 ; ^ 12 (mod 23) 

e. llx + 12y + z = 1 (mod 23) 

15x + 20^ + 22z ^ 11 (mod 23) 

3x + 9y = 10 (mod 23) 

2 . Find an inverse of the matrix A modulo n, if such an inverse exists. 

a. n = 26, and matrix A follows: 

2 7 
5 1 

b. n = 25, and matrix A follows: 


3 0 1 

4 3 2 

c. n = 7, and matrix A follows: 

2 0 0 
3 3 0 
6 1 2 

d. n = 13, and matrix A follows: 

10 9 0 
0 2 3 0 

3 4 0 1 

10 1 2 1 

3 . Write a transpose() method for the ModMatrix class which returns the transpose of a 
matrix. The transpose of a matrix is simply the matrix “flipped over”; that is, the mXn 
matrix becomes an nXm matrix where the i, yth element in the transpose is just the j, 
ith element of the original. For example, the transpose of 

1 2 
3 4 
5 6 

is 

1 3 5 

2 4 6 

4 . Modify the gaussianSolve() method so that it works for matrices whose modulus is not 
prime. 
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Matrix Ciphers 


Matrices offer us an alternative way to implement a linear block cipher. We will call 
such a matrix-based cryptosystem a matrix cipher. In the matrix ciphers, we use an 
enciphering transformation 

C = AP + B (mod n) 

but now A is a mXm matrix (called the enciphering matrix), P is a column vector of num- 
bers corresponding to a block of plaintext letters of length m, and P is a column vector of 
length m. (When B is the zero vector, these are called Hill ciphers.) To decipher, we must 
again solve for P: 

AP + B = C (mod n) 

AP = C — B (mod n) 

P = IP = A’AP = A'(C - B) (mod n). 

(Proposition 24 allows us to multiply both sides of a congruence by a matrix and preserve 
the congruence.) A' represents an inverse of A modulo n; that is. A' must satisfy the con- 
gruence 

A' A = I (mod n) 

where / represents the identity matrix. A must be chosen, of course, so that it has an inverse 
modulo n. 


Example. We use the ordinary alphabet, so n = 26. Let the enciphering matrix A be 

5 17 

4 15 


let the shift vector B be 


5 

2 
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5 17 

19 


5 


11 

4 15 

7 

+ 

2 

— 

1 


5 17 

4 


5 


15 

4 15 

4 

+ 

2 

— 

0 


and the message is THE END, which we split into blocks of size 2 to get TH EE ND. To 
encipher the plaintext TH, we use the vector P, which is 

19 
7 

and crank it through the transformation AP + B = C (mod 26). 

(mod 26) 

The number pair 11,1 corresponds to the letter pair LB, and so this is the ciphertext. We now 
encipher the pair EE 

S 17 4 S IS 

(mod 26) 

which yields the ciphertext PK. Finally, we encipher the pair ND 

(mod 26) 

Z,i 

to get the ciphertext RV. Thus, the message sent is 
LB PA RV. 

To decipher, compute an inverse A' of A modulo 26; verify that the following is such a 
matrix. 

' 17 5 

18 23 

To decipher, crank the ciphertext through the inverse transformation P = A' {C — B) 
(mod 26). If we send the letter pair LB back through. 


5 17 

13 


5 


17 

4 15 

3 

+ 

2 

— 

21 


17 

5 

11-5 


19 

18 

23 

1-2 


7 


(mod 26) 


we note that we have the pair 19, 7 corresponding to the letter pair TH, the original plain- 
text. You are invited to do the subsequent letter pairs. 


Note that we can make the block size m as large as desired by choosing large mXm 
encryption matrices. When m > 10, cryptanalysis of such systems is quite difficult. 


7.1 WEAKNESSES OF MATRIX CRYPTOSYSTEMS 

Matrix cryptosystems, like the block affine system, are resistant to frequency analysis. In 
general, when using the ordinary alphabet with blocks of size n, there are 26" different ways 
to map an n-block of text to another. Maintaining a frequency table of these blocks when n 
is large quickly becomes infeasible. For example, when the enciphering matrix is 10 by 10, 
that is, the block size n = 10, there are 26'“ s 1 .4 X 10''' possible blocks. A table of that size 
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would quickly exhaust the space and exceed the search time of even the greatest comput- 
ers. For this reason, matrix ciphers (where the size of the block is reasonably large) are still 
used today, and are relatively secure for most purposes. 

Of course, these matrix cryptosystems are secret key. The enciphering matrix A is the enci- 
phering key, and must be given only to authorized users, since anyone in possession of it 
can quickly compute the inverse deciphering matrix A' and decipher messages. 

Known Plaintext Attack. You will notice that the matrix ciphers are vulnerable to 
a known plaintext attack, for if a cryptanalyst manages to acquire enough plaintext P = pi, 
P 2 , ■■■, Pm corresponding to known ciphertext C = Cj, C 2 , . . . , c,„, she can compute the 
inverse A' of the enciphering matrix A, and the shift vector B, by solving the matrix con- 
gruence AP + B=C (mod n) for A and B, or equivalently, by solving the corresponding sys- 
tem of congruences 

«i,iPi + « 1 , 2 P 2 + ■ ■ ■ + fli.rf’m + bi= Cl (mod n) 

«2.lPl + a2,2P2 + ■ ■ ■ + fl2.mPm + ^2 = C 2 (mod «) 

+ «m, 2 P 2 + ■ ■ ■ + = c,„ (mod n) 

using different plaintext to ciphertext mappings. 


lixAMPLE. Suppose a cryptanalyst knows we are using a matrix cipher of block length 2, with 
the ordinary alphabet. She has some ciphertext, 

BT GT HM 

and its corresponding plaintext 
AT TA CK. 

The job of the cryptanalyst is to get what she doesn’t know, namely A and B. Suppose 
she denotes the enciphering matrix A as 

a b 
c d 

and the shift vector B as 

t 

The first mapping takes the pair AT to BT, or 


Ofl + I9b H- = 1 (mod 26) 
Oc + I9d H- 1 = 19 (mod 26) 
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and the second and third mappings follow: 

19a + 0b + s = 6 (mod 26) 
19c + 0d + t= 19 (mod 26) 

2a + IQb + s = 1 (mod 26) 
2c + lOr/ + t = 12 (mod 26) 
She then rearranges the congruences to get two systems 

Oa + \9b + ^ = 1 (mod 26) 
19a + Ofc + ^ = 6 (mod 26) 
2a + IQb + s = l (mod 26) 

and 


Oc + \9d + t= \9 (mod 26) 

19c + 0d + t= 19 (mod 26) 

2c + \0d + t= \2 (mod 26). 

She solves the first system to obtain values for a, b, and s, and the second system to get 
the values for c, d, and t. Since the coefficients of the two systems are the same, she can solve 
them simultaneously. 


0 

19 

1 

1 

19 

19 

0 

1 

6 

19 

2 

10 

1 

7 

12 


She then proceeds to reduce the matrix, say first by multiplying row 2 by 1 1 , an inverse 
of 19 modulo 26, then by swapping row 2 with row 1, then by subtracting row 1 from row 
3. This yields 


1 

0 

11 

14 

1 

0 

19 

1 

1 

19 

0 

10 

5 

5 

10 


She then multiplies row 2 by 11, then subtracts 10 times row 2 from row 3 


1 

0 

11 

14 

1 

0 

1 

11 

11 

1 

0 

0 

25 

25 

0 
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She then multiplies row 3 by 25 (which is its own inverse mod 26), then subtracts 1 1 times 
row 3 from both row 1 and row 2. This gives the desired solutions. 


1 

0 

0 

3 

1 

0 

1 

0 

0 

1 

0 

0 

1 

1 

0 


She now knows that 


a = 3 (mod 26) 

c = 1 (mod 26) 

b = 0 (mod 26) 

d = 1 (mod 26) 

s = 1 (mod 26) 

f = 0 (mod 26) 

and so an enciphering matrix A is 


3 0 
1 1 

and its corresponding shift vector B is 

1 

0 

(You should test these values to ensure that A and B actually map the given plaintext to the 
ciphertext.) Once our cryptanalyst has A, it is simple to compute the inverse A' modulo 26 
to obtain 

9 0 


Example. Earlier we enciphered the message 
TH EE TO 
to the ciphertext 
LB PA RV. 

Suppose the cryptanalyst knows we are using matrix ciphers of block size m = 2 with the 
ordinary alphabet. She acquires both the plaintext message and the ciphertext message. 
Now, 

“TH”(=19 7) corresponds with “LB”(=11 1), 

“EE”(=4 4) corresponds with “PA”(=15 0), 

“ND”(=13 3) corresponds with “RV”(=17 21). 

Using the same procedure described above, she solves the first system to obtain values 
for a, b, and s, and the second system to get the values for c, d, and t. You should be able to 
do this, and to verify that an enciphering matrix A is 


5 17 

4 15 
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and the corresponding shift vector B is 

5 

2 ' 

It is now a simple matter for her to compute A', an inverse of A modulo 26. 

17 5 

18 23 

In these examples we have chosen the block size to be artificially small to simplify the 
computations. In reality larger block sizes would be used; the computations involved are the 
same, there are only more of them. 


Java Algorithm. You will be asked in the exercises to develop some classes to perform 
encryption and decryption with matrices, but before you do that, we review a couple of con- 
structors, one from ModMatrix, and the other from ModSquareMatrix. I refer to the con- 
structors which produce a ModMatrix or a ModSquareMatrix with random entries; here is 
the code for review: 

//Creates a matrix with random entries having r rows, c columns, 

//Or, it creates a matrix of all zeros 

//Matrices start indexing at 1,1. Zeroth column and row are not used, 
public ModMatrix ( int r,int c,BigInteger m, boolean makeZero) { 

SecureRandom sr=new SecureRandom ( ) ; 
modulus=m; 

array=new Biginteger [r+1] [c+1] ; 

numRows=r ; 

numCols=c; 

for (int i=0 ; i<r; i++) { 

for (int j=0; j<c; j++) { 

//If makeZero set to true, make the zero matrix 
if (makeZero) array[i+l] [j+l]=new Biginteger (" 0 ") ; 

//otherwise, make matrix with random entries 
else array [i+1] [j +1] =new 

Biginteger (modulus .bitLength ( ) ,sr) .mod (modulus) ; 

} 

} 

} 

//Creates a square matrix with random entries 
//Or, it creates a matrix with all zeros 

//Another parameter specifies whether or not you wish the random 

//matrix to be invertible; if NOT, matrix may still be invertible by accident 
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public ModSquareMatrix ( int s,Biglnteger m, boolean makeZero, boolean make Invertible) 
throws MatricesNonConformableException { 

//Call a superconstructor from ModMatrix-make the zero matrix, 

//or a matrix with random entries 
super ( s , s , m, makeZero ) ; 

//Zero matrix is not invertible 

if (makeZero&&makeInvertible) throw new IllegaiArgumentException 
("Zero matrix cannot be inverted!"); 

//A random invertible matrix is desired 
if (make Invertible) { 

Random r=new Random ( ) ; 

SecureRandom sr=new SecureRandom { ) ; 
boolean done=false; 

//Do this until the matrix inverts 
while (!done) { 
try { 

//Try to take the inverse-may throw an exception if not invertible 

this . inverse ( ) ; 

done=true; 

} catch ( SingularMatrixException sme) { 

//Change a random entry in the matrix 
int row=Math.abs (r.nextint { ) ) %numRows+l; 
int col=Math. abs (r .nextint { ) ) %numCols+l ; 

Biginteger value=new 

Biginteger (modulus .bitLength ( ) ,sr) .mod (modulus) ; 
this . setElement (row, col, value) ; 

} catch (ArithmeticException ae) { 

//Change a random entry in the matrix 
int row=Math.abs (r.nextint ( ) ) %numRows+I; 
int col =Math. abs (r . nextint ( ) ) %numCols+I ; 

Biginteger value=new 

Biginteger (modulus .bitLength ( ) ,sr) .mod (modulus) ; 
this . setElement (row, col, value) ; 

} 

} 

} 

} 

The ModSquareMatrix constructor has an additional boolean variable to allow the user 
to specify whether or not they wish to enforce invertibility on the new matrix. If so, we can 
use this to generate random invertible square matrices modulo n; perfect for use as keys 
with this cryptosystem. 
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FIGURE 7.1 


7.2 



There is an applet called TestRandomModSquareMatrixApplet which can be found on 
the book’s website. It generates random invertible matrices for a specified size, and modu- 
lus. Pressing a button allows you to invert the matrix. A screen shot of this applet is shown 
in Figure 7.1. 


TRANSPOSITION CIPHERS 

As you recall, transposition ciphers simply permute the characters in a plaintext message. 
Matrices provide us with a convenient way of specifying permutations for this purpose. 
Thus, we make the following definition: 
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Definition 

A square matrix A is a transposition matrix if each column and row of A contain a sin- 
gle 1 ; all other entries are 0. 


lixAMPLE. 


LL 


A = 


0 0 10 
0 0 0 1 
0 10 0 


Note that an identity matrix is a transposition matrix (but one which we would never 
use). These types of matrices do exactly what we want. Note that if we take the product 


y = AX 


where V and B are column vectors, and A is a transposition matrix, then 

• since each row of A contains a single 1 , each entry in V will merely be an entry from X, 
and 

• since each column of A contains a single 1 , each entry of V will be a different entry from 

Z. 

Thus, the entries of V are merely a permutation of the entries of X. 


3 


XAMPLE. 


Suppose we have the following: 


A = 


0 

0 

1 

0 

0 


1 

0 

0 

0 

0 


0 0 0 
0 0 1 
0 0 0 
1 0 0 
0 1 0 


B = 


12 

5 

23 

8 

6 


and we take V = BX. Then we see that 


0 10 0 0 


12 


5 

0 0 0 0 1 


5 


6 

1 0 0 0 0 


23 

= 

12 

0 0 10 0 


8 


23 

0 0 0 1 0 


6 


8 
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We can now specify in terms of matrices what we mean by a transposition cipher. A 
transposition cipher having block length n maps a plaintext block P (as a column vector) to 
a ciphertext block C (also a column vector) by the transformation 

C = AP. 


I£xAMPLE. Suppose we wish to encrypt the message THIS IS NIRVANA using the transpo- 
sition matrix 


A = 


0 0 10 0 
0 0 0 0 1 
0 0 0 1 0 
0 10 0 0 
1 0 0 0 0 


and the ordinary alphabet. First, we group the plaintext into blocks of length 5, 

THIS! SNIRV ANAXX 

and, if necessary, pad with X’s (or random letters, if desired). This corresponds to the mes- 
sage 

19 7 8 18 8 18 13 8 17 21 0 13 0 23 23 . 

If we consider each block as a column vector, we derive each enciphered block by mul- 
tiplying A by each plaintext vector. So we get this for the first, second, and third blocks: 


0 0 10 0 


19 


8 

0 0 0 0 1 


7 


8 

0 0 0 1 0 


8 

= 

18 

0 10 0 0 


18 


7 

1 0 0 0 0 


8 


19 


0 

0 

1 

0 

0 


18 


8 

0 

0 

0 

0 

1 


13 


21 

0 

0 

0 

1 

0 


8 

= 

17 

0 

1 

0 

0 

0 


17 


13 

1 

0 

0 

0 

0 


21 


18 

0 

0 

1 

0 

0 


0 


0 

0 

0 

0 

0 

1 


13 


23 

0 

0 

0 

1 

0 


0 

= 

23 

0 

1 

0 

0 

0 


23 


13 

1 

0 

0 

0 

0 


23 


0 


Thus, the enciphered message is 

8 8 18 7 19 8 21 17 13 18 0 23 23 13 0 
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or 


IISHT IVRNS AXXNA 

Of course, we must ensure that transpositions are reversible. It seems natural to think that 
they are, but how do we do this in the setting of matrices? Of course, what we seek is an 
inverse A' of the transposition matrix A so that 

P=A’C. 

Transposition matrices are easily invertible using Gauss-Jordan elimination with the 
augmented matrix Al/. Since a transposition matrix is chosen so that each row and column 
contains a single 1, and nothing else, any such matrix can be reduced to an identity matrix 
simply by swapping rows! Thus, an inverse A' of any transposition matrix A always exists. 


Example. Let a be defined as the same matrix used in our transposition cipher example; that 
is 





0 

0 

1 

0 

0 






0 

0 

0 

0 

1 




A 

= 

0 

0 

0 

1 

0 






0 

1 

0 

0 

0 






1 

0 

0 

0 

0 



'A, first form 

the augmented matrix 

0 

0 

1 

0 

0 

1 

0 

0 

0 

0 

0 

0 

0 

0 

1 

0 

1 

0 

0 

0 

0 

0 

0 

1 

0 

0 

0 

1 

0 

0 

0 

1 

0 

0 

0 

0 

0 

0 

1 

0 

1 

0 

0 

0 

0 

0 

0 

0 

0 

1 


By simply swapping the rows so that we obtain the identity matrix on the left hand side, 
we get 


1 

0 

0 

0 

0 

0 

0 

0 

0 

1 

0 

1 

0 

0 

0 

0 

0 

0 

1 

0 

0 

0 

1 

0 

0 

1 

0 

0 

0 

0 

0 

0 

0 

1 

0 

0 

0 

1 

0 

0 

0 

0 

0 

0 

1 

0 

1 

0 

0 

0 


Thus, the inverse A' of A that we seek is 

0 0 0 0 1 

0 0 0 1 0 

1 0 0 0 0 

0 0 10 0 
0 10 0 0 


A' = 
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We will use this inverse to regain the plaintext of our ciphertext example. We get for the 
first block 


for the second we get 


and for the third we get 


0 0 0 0 1 


8 


19 

0 0 0 1 0 


8 


7 

1 0 0 0 0 


18 

= 

8 

0 0 10 0 


7 


18 

0 10 0 0 


19 


8 


0 0 0 0 1 


8 


18 

0 0 0 1 0 


21 


13 

1 0 0 0 0 


17 

= 

8 

0 0 10 0 


13 


17 

0 10 0 0 


18 


21 


0 0 0 0 1 


0 


0 

0 0 0 1 0 


23 


13 

1 0 0 0 0 


23 

= 

0 

0 0 10 0 


13 


23 

0 10 0 0 


0 


23 


This produces the plaintext blocks 

19 7 8 18 8 18 13 8 17 21 0 13 0 23 23 


THISI 


SNIRV 


ANAXX. 


7.3 COMBINATION SUBSTITUTION/TRANSPOSITION CIPHERS 

When substitution ciphers are combined with transposition ciphers, the resulting cipher can 
be very hard to crack, especially when the block sizes are different. Now that we have a con- 
venient vehicle (matrices) for representing these ciphers, we will discuss how this is done. 

Suppose we use a matrix cipher to map blocks of n characters from the plaintext P to the 
ciphertext C . Then we regroup this ciphertext into blocks of size m and apply a transposi- 
tion cipher to these blocks to produce another ciphertext C". This, of course, permutes the 
characters in each m character block, and since the first encryption was done for n charac- 
ter blocks, some characters find themselves in different blocks. Finally, to put another nail 
in the coffin, we can encrypt C" again using the first matrix cipher to produce the final 
ciphertext C. For many ciphers, multiple encryption does not strengthen the cipher; hence 
it is often just a waste of time, but in this case, it strengthens the cipher considerably. This 
type of cryptosystem confounds any attempt at frequency analysis, and even makes a known 
plaintext attack more difficult. 
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Note that if we are using this type of cipher, we must be careful about how we pad the 
message. We must pad enough characters so that the message is divisible by both n and m 
(the block size of the first and second ciphers, respectively.) Thus, we wish to ensure the size 
of the message is divisible by the least common multiple of m and n. 

Example. Suppose we are using the ordinary alphabet, and we wish to encipher the fol- 
lowing message 

SCOOBY DOO WHERE ARE YOU 

using first the matrix cipher transformation C = AP + B (mod 26) where the enciphering 
matrix A is 

5 17 

4 15 

and the shift vector B is 

5 

2 

Secondly, we wish to perform a transposition C" = TC, where the transposition matrix 
Tis 

0 0 0 1 0 

1 0 0 0 0 

0 0 0 0 1 . 

0 10 0 0 
0 0 10 0 

Note that the substitution cipher uses a block size of 2 characters, whereas the transpo- 
sition cipher uses a block size of 5 characters. Thus, the length of the plaintext needs to be 
divisible by lcm(2, 5) = 10. Finally, we apply once again the previous matrix substitution 
to get the final ciphertext. 

C ^ AC + B (mod 26). 

We will first group the plaintext P into letter pairs: 

SC 00 BY DO OW HE RE AR EY OU 
and note that in this case, no padding is necessary. (See Table 7.1.) 


A B 

C 

D 

E 

F 

G 

H I 

J 

K 

L 

M 

N 

0 

P 

Q 

R 

S 

T 

U 

V 

W 

X 

Y 

Z 

0 1 

2 

3 

4 

5 

6 

7 8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 

24 

25 


TABLE 7.1 
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Converted to numbers (using Table 7.1) the message is 

18 2 14 14 1 24 3 14 14 22 7 4 17 4 0 17 4 24 14 20 . 

When we apply the matrix transformation C = AP + B (mod 26), we get the results 

shown in Table 7.2. 

Now, we regroup the ciphertext into blocks of length 5. 

25 0 1 8 2 2 24 16 7 24 4 12 2 0 8 23 17 14 25 20 

We apply the transposition cipher C" = TC. (See Table 7.3.) 

Finally, we regroup the ciphertext into blocks of length 2, and reapply the first matrix 
transformation. (See Table 7.4.) 

The final ciphertext is 

CT PK ZH HG HA VK PG YV SE QU. 

What makes ciphers like this so difficult for anyone doing frequency analysis is that the 
blocks are split up by the enciphering transformation. You should verify that the plaintext 
is regained by applying the inverse matrix transformation (at the beginning and the end) 
using 

A'= ^ 

18 23 


p 

18 2 

14 14 

1 24 

3 14 

14 22 

74 

17 4 

0 17 

4 24 

14 20 

c 

25 0 

1 8 

22 

24 16 

7 24 

4 12 

20 

8 23 

17 14 

25 20 


TABLE 7.2 


C 

25 0 1 8 2 

2 24 16 7 24 

4 12208 

23 17 14 25 20 

C" 

8 25 2 0 1 

7 2 24 24 16 

048 122 

25 23 20 17 14 


TABLE 7.3 


C" 

8 25 

20 

1 7 

2 24 

24 16 

04 

8 12 

2 25 

23 20 

17 14 

C 

2 19 

15 10 

25 7 

76 

70 

21 10 

15 6 

24 21 

18 4 

16 20 


TABLE 7.4 
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and 


T' = 


0 

0 

0 

1 

0 


10 0 0 
0 0 10 
0 0 0 1 
0 0 0 0 
0 10 0 


the inverse of the transposition matrix T. 


Example. Here we encipher the message 
BLOW ME DOWN 


using the ordinary alphabet, a 3X3 substitution matrix, and a 4X4 transposition matrix. 
Here, though, the transposition is done by taking C" = C'T, instead of C" = TC. 

Enciphering matrix: 

7 19 22 


a = 15 11 1 


0 21 17 

The inverse of the enciphering matrix modulo 26: 

14 23 5 

ainv = 7 21 5 

25 23 0 

The transposition matrix: 

0 10 0 

0 0 0 1 

t = 

10 0 0 

0 0 10 

The inverse of the transposition matrix: 

0 0 10 

10 0 0 

0 0 0 1 


0 10 0 
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The plaintext “BLOW ME DOWN,” padded with X’s: 



1 

22 

3 

13 

p = 

11 

12 

14 

23 


14 

4 

22 

23 

Do the first substitution: 

4 2 17 20 

20 

24 

13 

3 


1 

8 

18 

16 


Do the transposition: 

17 4 20 2 


13 

20 

3 

24 


18 

1 

16 

8 



Do the second substitution. 

The final ciphertext is “lAH OVV DLX WQQ”. 


8 

14 

3 

22 

0 

21 

11 

16 

7 

21 

23 

16 


Begin decryption — reverse second substitution: 

17 4 20 2 

13 20 3 24 

18 1 16 8 

Reverse the transposition: 

4 2 17 20 

20 24 13 3 

1 8 18 16 

Now reverse the first substitution, and the recovered plaintext is “BLO 


WME 

DOW NXX.’ 

1 

22 

3 13 

11 

12 

14 23 

14 

4 

22 23 


a 
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EXERCISES 


1. Using the ordinary alphabet and a block size of 2, encipher and decipher the following 
messages: 

a. GREY LADY DOWN 

b. WHERE EAGLES DARE 

c. TOKYO IN ELAMES 

Pad with the letter X if necessary. Use the enciphering matrix 

2 7 
5 4 

and shift vector 


21 

19 

2. Repeat the previous exercise, but use a block size of 3 with the enciphering matrix 

12 21 9 

7 8 18 

3 23 6 

and the shift vector 

19 

5 

6 

3. Repeat the previous exercise, but use a block size of 5 with the enciphering matrix 

20 15 3 1 5 

4 23 16 4 3 

3 8 13 10 8 

12 15 4 3 2 

5 6 7 8 9 

and the following shift vector 

14 

12 

13 

9 

21 


4. Suppose that you are a cryptanalyst trying to find the enciphering matrices used in the 
previous exercises. Recover the enciphering matrix A and shift vector B from each of 
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the exercises using only knowledge of the modulus, the block size, and the plain- 
text-ciphertext message pairs. If you are unable to obtain these matrices, state why. 

5. Show that if T is a transposition matrix, then the inverse of T is the same as the trans- 
pose of T. 

6. Encipher and decipher the following messages: 

a. GREY LADY DOWN 

b. WHERE EAGLES DARE 

c. TOKYO IN FLAMES 

Pad with the letter X if necessary. Use the transposition matrix 

0 0 0 1 0 0 0 

0 1 0 0 0 0 0 

1 0 0 0 0 0 0 

0 0 0 0 1 0 0 

0 0 0 0 0 1 0 

0 0 0 0 0 0 1 

0 0 1 0 0 0 0 

7. Repeat the previous exercise, but first encrypt with matrix A, given by 

20 15 3 15 

4 23 16 4 3 

3 8 13 10 8 

12 15 4 3 2 

5 6 7 8 9 

then with the transposition matrix, then again with matrix A. 

8. Implement a matrix cipher program by adding a matrixEncipher() method and a 
matrixDecipherO method to the Ciphers class. 



CHAPTER 8 


Systems of Linear Congruences 
Multiple Moduli 


Now we proceed with the next type of linear systems of congruences. These systems 
involve a single variable with multiple moduli, as in the following example: 

X = 3 (mod 4) 

X = 0 (mod 5) (*) 

X = 0 (mod 7) 

X = 8 (mod 9). 

We wish to find all integers x which solve all four of the congruences in (*). We can go 
about finding solutions as follows: first, rewrite the first congruence as an equality 

x = 4t + 3 

where x is an integer (proposition 17 allows this). Insert this expression into the second 
congruence to get 

4f + 3 = 0 (mod 5), 

then solve for t to get 

t = 3 (mod 5). 

We can now rewrite the previous as an equation 

t = 5 m + 3 

which we can then substitute for x in the next congruence, since 
x = 4t + 3 = 4(5m + 3) + 3 = 20m + 15. 

Doing this, we see that 

20m + 15 = 6m + 1 = 0 (mod 7) 
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or that 

M = 1 (mod 7). 

Again, rewrite this congruence as an equation; namely 

M = 7v + 1 

which we can then substitute for x in the last congruence since 

X = 20m + 15 = 20(7v + 1) + 15 = 140v + 35. 

Replace x with this expression in the last congruence 

140v + 35 ^ 5v + 8 ^ 8 (mod 9) 
to obtain solutions for v, which are all v such that 

V = 0 (mod 9). 

Finally, rewrite this congruence as an equation 

V = 9^ + 0. 

Once we back substitute this value for x, we get 

X = 140v + 35 = 140(9w) + 35 = 1260w + 35 
or, written as a congruence, 

X = 35 (mod 1260). 

These are exactly the solutions desired, for note that if x = 35(mod 1260), we certainly 
have all of the following: 

X = 35 = 3 (mod 4) 

X = 35 = 0 (mod 5) 

X = 35 = 0 (mod 7) 

X = 35 = 8 (mod 9). 

8.1 THE CHINESE REMAINDER THEOREM 

This method of solving these types of congruences is very effective, but we can develop an 
even faster method of solving such systems if we only require that the moduli be pairwise 
relatively prime. Note, however, that the previous method has no such requirement. The 
proof of proposition 27 describes the new method; it is called the Chinese Remainder The- 
orem, since the Chinese have known its results since ancient times. However, we must first 
establish the two following facts: 

PROPOSITION 25. Suppose integers ai, 02 , ■ ■ ■ ,a„ are pairwise relatively prime. Then 
(flifl 2 ■ • ■ if and only if Oilc, a^c, . . . ,a„ Ic. 
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Proof. Clearly, if the product p = (aia 2 ■ ■ ■ a„) divides c, then each a^, i = \,2, . . . , n 
likewise divides c, since each a, Ip, and pic. Conversely, suppose each a, divides c. Then 
the prime factorization of c must contain the prime factorization of each a„ and since 
these are pairwise relatively prime, no a, can have a prime factor in common with any 
other. Thus, the prime factorization of c contains the prime factorization of the product 
p, and so pic. ■ 

The next proposition is what we really need for the Chinese Remainder Theorem, and 
using the previous result makes its proof very simple. You are requested to do this. 

PROPOSITION 26. Let a = b (mod mj), a = b (mod m 2 ), . . . , a = fc(mod m„) where 
fli, a 2 , ■ ■ ■ , a„ are pairwise relatively prime. Then we have a = b (mod m[m 2 . . . m„). 

PROPOSITION 27. (THE CHINESE REMAINDER THEOREM.) 

Suppose nil, ^ 2 ^ . . . , m„ are pairwise relatively prime. Then the system of congruences 

x = ai (mod mj) 
x = a 2 (mod m 2 ) 


X = a„ (mod m„) 

has a unique solution modulo M = mim 2 . . . m„; namely, 

X = UiMiMi + a 2 M 2 M 2 ' + . . . + a„M„M„' (mod M) 
where M, = M/nii and M,' is an inverse of M, modulo m, V i = 1, 2, . . . , n. 

Proof. Let all the quantities he defined as stated in the proposition. First, note that M, = 
mim 2 ■ ■ . m,_im,+i ■ ■ ■ m„ and m, are relatively prime for any i. To see this, note that each 
m, is relatively prime to nii^M i k, and so if we have an integer p greater than 1 which 
divides m„ it cannot divide any other m*., and hence cannot divide the product mim 2 . . . 
m,_im,+i . . . m„ = M,. Thus, proposition 22 says that an inverse M,' of M, modulo m, exists. 
Then the integer given by 

X = UiMiMi + a2M2M2' + . . . + 
simultaneously solves the system of congruences 

X = ai (mod nii) 

X = 02 (mod m 2 ) 


X = a„ (mod m„). 

To see this, note that m^.lM, when i + k, hence giving us M, = 0 (mod m^^.). Thus, all terms 
of X modulo nif. vanish except the kth term, and so we have 

X = ai;M;^Mi^' = Oj. • 1 = Oj. (mod m*,) 
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for any k. That is, x is also a solution to the individual congruences of the system. To show this 
solution is unique (in the sense that all other solutions are congruent to it modulo M), let x and 
y hoth be simultaneous solutions to the previous system. Note now that we have x = y^at 
(mod m*-) V k, and proposition 26 tells us then that x = y (mod M), as desired. ■ 

HxAMPLE. Well use the Chinese Remainder Theorem (CRT) to solve the same system (*); 
that is, the system 

X = 3 (mod 4) 

X = 0 (mod 5) 

X = 0 (mod 7) 

X = 8 (mod 9). 

(Note that the moduli are pairwise relatively prime.) The proof of CRT shows us how to get 
our solutions very quickly by computing M = 4 • 5 ■ 7 • 9 = 1260, and 

Ml = 1260/4 = 315, Mj = 1260/5 = 252, M3 = 1260/7 = 180, M4 = 1260/9 = 140. 

We then compute inverses y, of each M, modulo m,: 

M/ = 3 (an inverse of 315 modulo 4) 

M2' = 3 (an inverse of 252 modulo 5) 

M3' = 3 (an inverse of 180 modulo 7) 

M4' = 2 (an inverse of 140 modulo 9) 

To get our solution, we now simply form the sum 

X — I "t" ri 3/1/34/3 + ^24/1/44/4 

= 3 ■ 315 ■ 3 + 0 ■ 252 • 3 + 0 ■ 180 • 7 + 8 ■ 140 • 2 
= 5075 

= 35 (mod 1260). 

This is exactly the same solution we obtained earlier, only perhaps less directly but cer- 
tainly more quickly. (Note that computing M2, M3, 3^2 and ^3 isn’t even necessary in this 
example, because they vanish in the final computation.) 


Java Algorithm. Suppose we write a static method in the BiglntegerMath class to 
solve such sets of congruences; we can call it solveCRT(). We can make it solve systems of 
the form 
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X = (mod mj) 
x = a2 (mod m2) 


X = a„ (mod m„). 

If any individual congruence does not have a unique solution, we will throw an excep- 
tion; likewise if the moduli are not pairwise relatively prime. We will pass in the values of 
a, and m, as arrays of Bigintegers, and the solution will be returned as an array of two Big- 
Integers, say answer[]. Then answer[ 0 ] will contain the residue solution, and answer[l] will 
contain M, the product of the individual moduli. 

Here is the program: 

//Finds simultaneous solutions to a linear system of congruences 
//involving only one variable and multiple moduli. 

public static Biglnteger[] solveCRT (Biginteger [ ] residue, Biglnteger[] modulus) { 
//See if the number of moduli and residues match 

if (residue . length! =modulus . length) throw new IllegalArgumentException 
("Residues and moduli are in different amounts."); 

//See if the moduli are pairwise relatively prime 
for (int i=0; i<modulus . length- 1 ; i++) { 

for (Int j=i+l; j<modulus . length; j++) { 

if ( ! (modulus [i] .gcd(modulus [ j ] ) .equals (ONE) ) ) 
throw new IllegalArgumentException 
("Moduli are not pairwise relatively prime."); 

} 

} 

/ /Form the product of the individual moduli 
Biginteger M=new Biginteger ( "1" ) ; 
for (int i=0; i<modulus . length; i++) 

M=M. multiply (modulus [1] ) ; 

//Eoim the solution as in the Chinese Remainder Theorem 
Biginteger solution=new Biginteger ( "0" ) ; 
for (int i=0 ; i<modulus . length; 1++) { 

Biginteger Mi=M. divide (modulus [i] ) ; 

solution=solution.add(resldue [i] .multiply (Ml) .multiply 
(Ml .modinverse (modulus [i] ) ) ) ; 

} 

solution=lnr (solution, M) ; 
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FIGURE 8.1 



//Answer must be returned as a two dimensional array. 

Biglnteger[] result=new Biginteger [2 ] ; 

result [0] =solution; 

result [1] =M; 

return result; 



I have written an applet called TestCRTApplet which allows you to solve these types of 
systems using the Chinese Remainder Theorem. It can be run from the book’s website, and 
a screen shot follows (see Figure 8.1). The Chinese Remainder Theorem has many impor- 
tant applications in cryptography, and it is equally useful to both the cryptographer and the 
cryptanalyst. We will investigate many of these applications in upcoming chapters. 


EXERCISES 

1 . Solve the following systems of linear congruences using the Chinese Remainder The- 
orem (CRT). 

a. X = 23 (mod 26) 

X = 2 (mod 31) 

X = 5 (mod 17) 

b. X = 1 (mod 26) 

X = 1 (mod 33) 

X = 1 (mod 35) 

5x = 3 (mod 18) 

3x = 4 (mod 7) 

2x = 5 (mod 25) 

6x = 10 (mod 11) 


c. 
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2 . Solve the previous systems of linear congruences without using the Chinese Remain- 
der Theorem. 

3 . Willie the woodchuck is building a dam for his family. After gnawing down trees all 
day he stacks the logs in the mud in rows of 5, and notices he has 1 left over. Disgrun- 
tled, he stacks them in rows of 6 and notices he has 2 logs remaining. Highly upset 
now, Willie chews one of the logs to bits in a fit of rage (so he has 1 less log now), then 
stacks the logs in rows of 7 and has none remaining. What is the minimum number of 
logs Willie produced that day? 

4 . Francine the dancing gorilla is dividing up coconuts for her family. If she divides them 
up equally among all her 46 children, she has 3 coconuts left over, but if she divides 
them up only among her 25 favorite children, she has 2 coconuts remaining. What is 
the minimum number of coconuts Francine has? 

5. Redneck Slim is planting petunias for his sweetheart Daisy Mae. If he places them in 
9 rows, he has 2 plants left over. If he puts them in 10 rows, he has 3 plants left over, 
but if he puts them in 11 rows he has exactly 1 plant left over for his date Saturday 
night. What is the minimum number of petunia plants? 

6. Show that the system of congruences 
X = ai (mod mi) 

X = 02 (mod m 2 ) 

X = a„ (mod m„) 

has a solution iff the gcd of m, and divides a, — a<. where \ <i<k<n. This can serve 
as a check for systems which do not have moduli that are pairwise relatively prime. 

7. Solve the following systems of linear congruences: 

a. x=l (mod 24) 

X = 23 (mod 56) 

b. X = 80 (mod 95) 

X = 4 (mod 38) 

X = 50 (mod 60) 

8. Write a static solveMultipleModuli() method in the BigIntegerMath class to find a par- 
ticular solution to linear systems of congruences with multiple moduli that need not be 
pairwise relatively prime. (Thus, you cannot use the Chinese Remainder Theorem.) 
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9.1 QUADRATIC CONGRUENCES MODULO A PRIME 

The type of congruences we will first investigate here are those of the form 

= a (mod p) 

where p is prime. (Later on, we will allow the modulus to he composite.) Not all such con- 
gruences have solutions; for example, 

= 5 (mod 11) 

has two solutions, x = 4 (mod 11), and x = —4 = 7 (mod 11). (Verify.) But the congruence 

x^ = 2 (mod 5) 

has no solutions. (Verify by trying all values from 0 through 4.) It turns out that such con- 
gruences either have no solutions, or exactly two, as the next theorem shows. 

PROPOSITION 28. Ifp is an odd prime and p a, then the congruence x^ = a (mod p) 
has either no solutions or exactly two incongruent solutions modulo p. 

Proof. Suppose the congruence has a solution, say x = z; that is, 7 } = a (mod p). Then 
clearly, x = — z is also a solution, since (— z)^ = z?' = a (mod p). Also, —z (mod p), 
because if z = — z (mod p), this would imply that 2z = 0 (mod p), which cannot be because 
p is odd and does not divide z (since z^ = a (mod p) and p -Y a). 

Now we must show these two solutions (when they exist) are the only solutions. Suppose 
X = z, X = y are two solutions to this quadratic congruence, hence z^ = = fl (mod p) and 

so z^ — y^ = (z + y)(z — y) = fl — fl = 0 (mod p). This says that p\{z + y) or p\{z — y), which 
further implies then that z = — y (mod p) or z = y (mod p). Either way, we are left with only 
two distinct solutions, x = z (mod p) and x = — z (mod p). ■ 

Note that the previous only applies to odd primes, so quadratic congruences modulo 2 
(the only even prime) are handled somewhat differently. We will not have occasion to do 
this. 
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9.2 FERMAT'S LITTLE THEOREM 

How do we find solutions to quadratic congruences? When the modulus is a prime of the 
form Ak + 3, that is, congruent to 3 modulo 4, these solutions are easily obtained. But before 
we do this, we must first prove Fermat’s Little Theorem, an extremely useful result. 

PROPOSITION 29. (FERMAT'S LITTLE THEOREM.) Let p be prime and b an inte- 
ger such that p A b. Then = 1 (mod p). 

Proof. Note first that p divides none of the integers b, 2b, . . . , (p — l)h, for if p\kb for 
some k between 1 and p — I (inclusive), then by proposition 13, p\k since p A b, and this is 
impossible. Now we want to show that no two of the integers b, 2b, . . . ,{p — \)b are con- 
gruent modulo p. Assume two of them are; that is, 

jb = kb (mod p) where \ <j <k<p — 

Then proposition 21 says j = k (mod p) since b and p are relatively prime. But this can- 
not be since j and k are positive integers both less than p — \. 

Thus, the sequence of integers 1, 2, — 1 has the same number of members as the 
sequence b, 2b, ...,(/?— \)b, and the least nonnegative residues of the latter (modulo p) 
must therefore be a permutation of \,2, . . . , p — 1. Thus we must have 

\ ■ 2 . . . {p — = b ■ 2b . . . ip — \)b (mod p), or 

(p - 1 )! ^ bP~\p - 1)! (modp). 

Since ip — 1)! is relatively prime to p, we can divide it out and preserve the congruence 
by proposition 21. This yields the desired result; namely, 

= 1 (mod p). ■ 

Now we can find the solutions to = a (mod p) when is a prime congruent to 3 mod- 
ulo 4. These solutions are in the next proposition, which you can prove quickly with the aid 
of Fermat’s Little Theorem. Solutions to quadratic congruences when the modulus is a prime 
of the form 4^ H- 1 are more difficult to obtain, and we will not cover such congruences 
here. 

PROPOSITION 30. Letp be a prime congruent to 3 modulo 4, and a an integer such that 
p -f a. Then if the congruence = a (mod p) has solutions, they are x = (mod p), 

and X = (mod p). 

(Hint: First show that = 1 (mod /?); this is called Euler’s criterion. It may not 

be clear to you when proving proposition 30 why p must be congruent to 3 modulo 4; it is 
simply the only way ip + l)/4 can be an integer.) 
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IXAMPLES. We will solve all of the following congruences. Note that the modulus is prime 
and congruent to 3 modulo 4. 

• = 2 (mod 23) 

Solutions: x ^ ±2(23+i)/4^ + 2 ®= ±64 ^ ±5 (mod 23) 

If you prefer to always use least nonnegative residues, the solutions are: 

X = 5 (mod 23), and x = —5 =18 (mod 23) 

• x^ ^ 17 (mod 19) 

Solutions: x = ±17^ = ±6 (mod 19) 

• x^ = 2 (mod 7) 

Solutions: x = ±2^ = ±4 (mod 7) 


.3 QUADRATIC CONGRUENCES MODULO A COMPOSITE 

We are now ready to attempt solving congruences when the modulus is not prime. Let n = 
pq, where p and q are distinct primes of the form Ak + 3, and consider the congruence 

x^ = a (mod n) (*) 

where 0 < a <n. Suppose (*) has a solution, say x = y. Then it has four solutions, accord- 
ing to the following proposition. 

PROPOSITION 31. Let n=pq where p and q are primes congruent to 3 modulo 4, and 
let a be an integer such that 0 <a <n. Suppose the equation = a (mod n) has a solution. 
Then all the solutions are given by 

X = ±{zqqp ± wpPq') (mod n) 

where z = w = qp is an inverse of q modulo p, and p^ is an inverse of p mod- 

ulo q. 

Proof. We will show it has exactly four solutions as follows. Note that x = ±}' are solu- 
tions to x^ = a (mod n) iff they are solutions to both x^ = a (mod p) and x^ = a (mod q). 
This is easy enough to see if you use the definition of congruence: 

y is a solution to x^ = a (mod n) 
iff = a (mod n) 
iff n\(y^ — a) 

iff p\(y^ — a) and q\(y^ — a) (since n= pq and clearly p\n and q\n) 

iff y^ ^ a (mod p) and y^ ^ a (mod q) 

iff y is a solution to both x^ = a (mod p) and x^ = a (mod q) 


1 72 Chapter 9 Quadratic Congruences 


Now let z be the least nonnegative residue of y modulo p, and let w be the least nonneg- 
ative residue of y modulo q.Sox= ±z are solutions to = a (mod p), and x= ±w are solu- 
tions tox^ = a (mod q). We can combine these solutions in four different ways to get four 
sets of simultaneous congruences: 

1 . X = z (mod p) and x = w (mod q) 

2. X = p — z (mod p) and x=q — w (mod q) 

3. X = p — z (mod p) and x = vr (mod q) 

4 . X = z (mod p) and x=q — w (mod q). 

Using the Chinese Remainder Theorem (CRT) on each of sets 1 through 4, we can find 
the value for x which solves the two congruences simultaneously, and these four values are 
thus solutions to (*). For congruences 1 and 2, we use CRT to construct the two solutions 

X = ±{zqqp' + wppq) (mod n) 

where q^ is an inverse of q modulo p, and p^ is an inverse of p modulo q. Similarly, using 
CRT on congruences 2 and 3 we arrive at the other pair of solutions 

X = ±{zqqp' - wpPq') (mod n). 

We then can write the four solutions quickly as 

X = ±{zqqp ± wppg') (mod n). 

and the proof is complete. ■ 

lixAMPLE. Suppose we wish to solve 

x^ ^ 23 (mod 77). 

Note that the prime factorization of 77 is 7 ■ 11, and both of these primes are congruent 
to 3 modulo 4. We first obtain the solutions to 

a. x^ = 23 = 2 (mod 7), and 

b. 1 (mod 11). 

The solutions to (a) are x = ±3 (mod 7), and the solutions to (b) are x = ± 1 (mod 11). 
Using the Chinese Remainder Theorem, we then separately solve the four sets of congru- 
ences 

1 . X = 3 (mod 7) and x = 1 mod 11) 

2 . X = —3 (mod 7) and x = — 1 mod 11) 

3 . X = —3 (mod 7) and x = 1 mod 11) 

4 . X = 3 (mod 7) and x = — 1 mod 11). 

Each yields a solution to x^ = 23 (mod 77). We can do all of these at once, as denoted in 
the formula of proposition 31: 

x=±(3- 11 ■2± 1 - 7 -8) (mod 77) 
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which yields the four solutions 

±122 = ±45 (mod 77), 
or 

±10 (mod 77). 

(Here 2 is an inverse of 1 1 mod 7, and 8 is an inverse of 7 mod 1 1 .) If you prefer to have 
the solutions in terms of least nonnegative residues modulo n, they are 

45 (mod 77), 

X = 32 (mod 77), 

X ^ 10 (mod 77), 

X ^ 67 (mod 77). 

You should verify that each solution satisfies the congruence x^ = 23 (mod 77). 


We see from the previous development that solving quadratic congruences when the 
modulus is not prime involves obtaining the prime factorization of n, solving the congru- 
ences for the prime moduli, and then recombining the solutions using CRT. This will work 
even when the solutions we seek are for quadratic congruences more complicated than the 
simple congruence x^ = a (mod p). 

To continue with this, we will now consider quadratic congruences of the form 

ax^ + bx + c ^ 0 (mod p) 

where p is a prime of the form 4k + 3, and a is not divisible by p. Solving such a congru- 
ence can go quickly by completing the square, almost the same way we do in algebra. First, 
multiply both sides by an inverse of a modulo p. This inverse exists because (a, p) = 1: 

x^ + a'bx + a'c = 0 (mod p). 

Now move a'c to the RHS: 

x^ + a'bx = —a'c (mod p). 

Next, add the exact quantity to both sides to make the LHS a perfect square: 
x^ + a'bx -I- (2'a'bf = —a'c + {Ta'bf (mod p). 

The value desired is 2'a'b, where 2' is an inverse of 2 modulo p, which exists since p is 
an odd prime. Now, rewrite the LHS as a square, and factor the RHS: 

(x + 2'a'bf' = a'i{2'bfa' — c) (mod p). 

Proposition 30 now tells us the solutions to the previous congruence: 

X -I- 2'a'b = ±(a'((2'bfa' — (mod p). 

Thus, we finally arrive at our solutions for x: 

X = ±{a' ((2' bfa' — — 2'a'b (mod p). 
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The previous formula can be used to solve these types of quadratic congruences, but 
often it is easier to complete the square yourself and simplify as you proceed. 

Example. We wish to solve the congruence 

+ 10.r + 7 ^ 1 (mod 19). 

Move the 7 to the RHS: 

3x2 ^ = _5 ^ 13 (jnod 19). 

Multiply both sides by 13, an inverse of 3 modulo 19; 

x2 + 10 ■ 13x ^ 13 • 3x2 ^ 13 . iQ^ ^ 13 . 13 ^ 159 ^ 17 19 ^ 

Now, add (10 • 13 • 2')^ to both sides. 10 is an inverse of 2 modulo 19: 

x2 + 10 • 13x + (10 • 13 • 10)2 ^ 17 + (16 • 10)2 ^ 17 + 32 ^ 5 (mod 19). 

Write the LHS as a square: 

(x + 10 • 13 • 10)2 ^ (x + 8)2 ^ 5 (mod 19). 

Proposition 30 gives us the solutions to (x + 8)2 = 5 (mod 19); they are 

X + 8 ^ +5(19+i)/4 = +55 ^ +9 19)^ QJ. 

X = ±9 — 8 (mod 19). 

This yields the two solutions 

X = 1 (mod 19), and x = —17 = 2 (mod 19). 

You should verify that each of the solutions is correct. We will solve this congruence 
once again however, this time using the quadratic formula: 

X = ±(a'((2'b)2fl' — c))^^'^^"^ — 2'a'b (mod p). 

The congruence to solve is 

3x2 + lOx + 7 ^ 1 (mod 19), 

or in standard form, 

3x2 + 5 = 0 (mod 19), 

so a = 3, b = 10, c = 6 , a' = 13, and 2' = 10. 

Substituting these values into (ft) we get 

X = ±(13((10 • 10)2 • 13 - 6 ))“®'"*’''* - 10 • 13 • 10 

^ ±(13(10000 • 13 - 6 ))^ - 8 

^ ±(13(15))^ - 8 

^ ±5^ - 8 


9-8 (mod 19). 
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This yields x=l (mod 19), and x = — 17 = 2 (mod 19), the same solutions obtained by 
completing the square. 

We are finally ready to solve the type of congruence which we will find most useful; 
those of the type 

ax^ + bx + c = 0 (mod n) 

where (a, n) = 1, n= pq, and where p and q are both primes congruent to 3 modulo 4. 


PROPOSITION 32. Let n = pq, where p and q are primes congruent to 3 modulo n. 
Suppose a is an integer relatively prime to n, and that the congruence 

ax^ + bx + c = Q (mod n) 

has a solution. Then all the solutions are given by 

X = (±(a' ((2' b)^a' — c))^^^^'^)qqp + {±(a' {{2' b)^a' — — 2’a'b (mod n). 

(Again, q^ means an inverse of q modulo p, and p^' is an inverse of p modulo q.) 

Proof. Most of the work involved in finding the solutions has already been done. As 
before, use some algebra to rewrite the congruence as 

(x + 2'a'bf = a'{{2'b)^a' — c) (mod n). 

As before, this splits up into two congruences 

(x + 2'a'bY = a'{{2'b)^a' — c) (mod p), and 

(x + 2'a'b)^ = a'{(2’bf'a' — c) (mod q), 

and proposition 30 tells us the solutions: 

X + 2'a'b = ±{a\{2'b)^a' — (mod p), and 

X + 2'a'b = ±{a' ((2' bfa' — (mod q) 

We then use CRT to recombine these solutions and obtain solutions to ax^ + bx + c = 0 
(mod n): 

X + 2'a'b = {±(a'{{2'b)^a' — c))^^^^'‘*)qqp' + (±(a'{{2'b)^a' — c)f‘‘^'''''‘^)ppq' (mod n), 
or 

X = {±{a' {{2' bf'a' — c))^^^^'^)qqp' + {±(a' {{2' bf'a' — c))^‘‘"^^^'‘^)pp^' — 2'a'b (mod n). 

Here qp is an inverse of q modulo p, and p^ is an inverse of p modulo q. These are the 
values claimed in the proposition. ■ 

The formula may appear quite horrifying at first, but it provides the solutions we seek 
very nicely. We demonstrate this now: 

LMxAMPLE. We solve the congruence 

2x^ + 3x + 16 = 0 (mod 21). 
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Note that 21=3-7. The congruence is already in standard form, so we have a = 2, b = 
3, c = 16, a' = 11, and 2' = 11. We first calculate the quantities ±(a'((2'bfa' — (mod 

3), ±{a' {(2’ b)^a' — (mod 7), and 2'a'b (mod 3 and mod 7): 

±(a'{(2’bfa' - 

^ ±(11((11 ■ 3)^11 - 16)^^"*'^'^ 

= ±( 2((2 • 0)^2 - l ))( 3 + i )« 

= ±2 (mod 3). 

±{a'({2’bfa’ - 
^ ±(11((11 ■ 3)^11 - 
^ ±(4((4 • 3)^4 - 
= ±0 (mod 7). 

2'a'b 

^ 11 • 11 • 3 
^ 2 ■ 2 • 0 
^ 0 (mod 3) 


2'a'b 

^ 11 • 11 • 3 
^ 4 ■ 4 ■ 3 
^ 6 (mod 7) 

The four solutions we seek (actually two, because of ±0 helow) are then 

(±1 - 0) • 7 • 1 + (±0 - 6) • 3 • 5 (mod 21). 

Here, 1 is an inverse of 7 mod 3, and 5 is an inverse of 3 mod 7. If we provide the answers 
in terms of least nonnegative residues, we get 

X = 7 — 6 = 1 (mod 21), 

-7 - 6^-13 ^8 (mod 21). 

The methods we have discussed here can be easily extended to solve quadratic congru- 
ences modulo n = piP 2 . ■ ■ p„ where the factors are all distinct primes congruent to 3 mod- 
ulo 4. You may wish to attempt this. 

Java Algorithm. We should write a solveQuadratic() method (in the BigIntegerMath 
class, of course) to solve quadratic congruences of the forms described above. That is, the 
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modulus must be a product of distinct primes of the form 4A: + 3. If we are going to deal with 
truly large integers, then we must take many things into consideration: 

• We cannot send in the modulus n as a parameter directly; rather, we must send in the 
prime factorization n = pq. This is because factoring n when n has large prime factors is 
an intractable problem. (We will discuss this more later.) 

• We must test each factor of n first to see if each one is a probable prime, using the isProb- 
ablePrimeO method of the Biginteger class. (This method of determining primality does 
not involve attempted factoring and will execute quickly.) If the factor is probably prime, 
we must also test whether it is congruent to 3 modulo 4. If either is not the case, our 
method is unusable and we must throw an exception. 

• We must check that no factor of the modulus n is repeated; that is, the two primes p and 
q must be unique if we are to use the Chinese Remainder Theorem to produce the solu- 
tions. (CRT requires that the moduli be pairwise relatively prime; if any two moduli are 
equal this condition is certainly violated.) \fp = q, we throw an exception. 

• We must check the solutions we obtain. It is possible the quadratic congruence we are try- 
ing to solve has, in fact, no solutions! Thus, any values we obtain must be checked against 
the original congruence. If any solution fails to check, we must again throw an exception. 

The method as we have outlined has many rules to follow, but if we take the proper pre- 
cautions, this method can produce very satisfactory results. The code follows: 


import j ava. math. Biginteger ; 
import j ava . security . SecureRandom; 
public class BigintegerMath { 

//Define zero as a Biginteger; this is handy for comparisons 

static final Biginteger ZERO=new Biginteger ( "0 ") ; 

static final Biginteger ONE=new Biginteger ( "1" ) ; 

static final Biginteger TWO=new Biginteger ( "2 ") ; 

static final Biginteger THREE=new Biginteger ( "3 ") ; 

static final Biginteger FOUR=new Biginteger ("4"); 


//Other methods 


//Solves quadratic congruences ax''2+bx+c congruent to 0 mod n=pq 
//Returns four solutions when they exist 

public static Biginteger [] solveQuadratic (Biginteger a, Biginteger b, Biginteger 

Biginteger p, Biginteger q, int primeTolerance) { 

//Check that the factors of the modulus are distinct 
if (p . equals (q) ) 

throw new IllegalArgumentException ( "The modulus factors are not unique!"); 
//Check that the factors are congruent to 3 modulo 4 
Biginteger n=p .multiply (q) ; 
if ( ! Inr (p .mod (EOUR) , n) . equals (THREE) ) 
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throw new IllegalArgumentException (p+" is not of form 4k+3!"); 
if ( ! Inr (q. mod (FOUR) , n) . equals (THREE) ) 

throw new IllegalArgumentException (q+" is not of form 4k+3!"); 

//Check that the factors of the modulus are prime 
if ( !p . isProbablePrime (primeTolerance) ) 

throw new IllegalArgumentException (p+" is not prime!"); 
if (! q. isProbablePrime (primeTolerance) ) 

throw new IllegalArgumentException (q+" is not prime!"); 

//Create the array of solutions 
Biglnteger[] result=new Biglnteger[4]; 

//Start forming the terms 
Biginteger alnv=a .modinverse (n) ; 

Biginteger plnv=p .modinverse (q) ; 

Biginteger qlnv=q. modinverse (p) ; 

Biginteger twoInv=TWO .modinverse (n) ; 

Biginteger terml= 

ainv. multiply (twolnv. multiply (b) .modPow (TWO, n) .multiply (alnv) .subtract(c) ) 
Biginteger term2=twoInv. multiply (alnv) .multiply (b) ; 

Biginteger tl= 

Inr (terml.modPow{p.add(ONE) . divide (EOUR) ,n) 

. subtract {term2 ) .multiply (q) .multiply (qinv) ,n) ; 

Biginteger t2= 

Inr (terml.modPow{q.add(ONE) . divide (POUR) ,n) 

. subtract (term2 ) .multiply (p) .multiply (pinv) ,n) ; 

Biginteger t3= 

Inr (terml.modPow{p.add(ONE) . divide (POUR) ,n) .negateO 
. subtract {term2 ) .multiply (q) .multiply (qInv) ,n) ; 

Biginteger t4= 

Inr (terml.modPow{q.add(ONE) . divide (POUR) ,n) .negateO 
. subtract (term2 ) .multiply (p) .multiply (pInv) ,n) ; 

//Form the solutions 
result [0] =lnr (tl . add(t2 ) , n) ; 
result [1] =lnr (tl . add(t4) , n) ; 
result [2 ] =lnr (t3 . add(t2 ) , n) ; 
result [3 ] =lnr (t3 . add(t4) , n) ; 

//Check the solutions; if any are bad, throw an exception 
Biginteger x; 
for (int i=0;i<4;i++) { 
x=result [i] ; 

if ( !lnr (a. multiply(x. multiply (x) ) . add(b. multiply (x) ) .add(c) ,n) . 
equals (ZERO) ) 

throw new IllegalArgumentException ( "Solution x="+x+" does not check!") 

} 

return result; 

} 

} 
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FIGURE 9.1 




I have written an applet test program of the solveQuadratic() method, which can be run 
from the book’s website. You enter the values a, b, c, p, and q for the quadratic congruence 
ax^ + bx + c = 0 (mod pq). The primes p and q must both be congruent to 3 modulo 4. A 
screen shot of the applet, called TestSolveQuadratic Applet, is shown in Figure 9.1. 


EXERCISES 

1. Solve the following quadratic congruences: 

a. = 1 (mod 7) 

b. x^ = —2 (mod 11) 

c. x^ = 6 (mod 19) 

d. x^ = — 3 (mod 19) 

e. x^ = 3 (mod 23) 

f. x^ = 7 (mod 31) 

Check the solution(s) you obtain. 

2. Solve the following quadratic congruences: 

a. x^ = 7 (mod 93) 

b. x^^ -17 (mod 33) 

c. x^=— 8(mod57) 

d. x^ ^ 23 (mod 77) 
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e. = 12 (mod 69) 

f. ^ 8 (mod 217) 

Check the solution(s) you obtain. 

3. Solve the following quadratic congruences: 

a. 3x^ + 2x = 0 (mod 7) 

b. 2x^ + 3x + 9 = 5 (mod 7) 

c. 5x^ + lOx +13^18 (mod 23) 

Check the solution(s) you obtain. 

4. Solve the following quadratic congruences: 

a. 3x^ + 2x = 12 (mod 77) 

b. 2x^ + 3x + 9 ^ 106(mod 133) 

c. 5x^ + lOx + 13 ^ 101 (mod 209) 

Check the solution(s) you obtain. 

5. Prove proposition 30. 

6. Solve the following quadratic congruences: 

a. 4x^ + 2x + 100 = 58 (mod 231) 

b. 2x^ + 3x + 182 = 0 (mod 1463) 

Check the solution(s) you obtain. 

7. The solveQuadraticO method can be written in a much “cleaner” way. First, write a 
method to solve quadratic congruences of the form 

= a (mod p) 

where p is a prime congruent to 3 modulo 4. Use this method in conjunction with the 
solveCRTO method, and use the Chinese Remainder Theorem to produce the solutions. 

8. Suppose the quadratic congruence ax^ + bx + c = 0 (mod n) has solutions, and that n 
= piP 2 ■ ■ ■ Pm, where each prime factor p, is unique, and each congruent to 3 modulo 4. 
Explain how you would find the solutions. 

9. Revise the solveQuadraticO method to compute and return solutions of quadratic con- 
gruences as described in the previous exercise. 
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The cryptosystems we are about to cover in this chapter are called public key cryp- 
tosystems. All the cipher systems we’ve looked at so far have been secret key schemes. 
This is the classical view of cryptography; it means that both the enciphering key and deci- 
phering key must be kept secret, for knowing one is equivalent to knowing the other. For 
example, consider a block affine transformation 

C = aP + b (mod m) 

where (a, m) = l. The enciphering key are the numbers a, m, and b. If an unauthorized user 
captured these values, she could certainly encrypt messages to you, but even worse (obvi- 
ously), she can easily derive the decryption key a' (where a' is an inverse of a modulo m) 
and decrypt any messages. 

With public key cryptography, the situation is somewhat different. Public key means that 
two keys are involved: a public key used for enciphering, and a private key used for deci- 
phering. But knowing the encryption key is not equivalent to knowing the decryption key, 
and this is the crucial difference. With public key cryptography, each user generates a pub- 
lic key, which they distribute to everyone, and a private key, which they do not divulge to 
anyone. Anyone who wants to send a message to some user must look up their public encryp- 
tion key and use it to encrypt the message. On the receiving end, the user decrypts the mes- 
sage with their private key. No one else can decrypt because only the intended recipient 
knows the private key, and the private key is very difficult to calculate from the encryption 
key. 

10.1 THE RABIN CIPHER 

The encryption process of the following cipher, known as the Rabin cipher, involves pro- 
ducing ciphertext C from plaintext P as follows: 

C=P^ (mod n). (0 < P < n, 0 < C <n) (t) 

Here n is the product of two distinct large primes, say p and q, both congruent to 3 mod- 
ulo 4. At current levels of computing power, n should be at least 1024 bits in length. The 
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public key in this cipher is n. What is not made public is the prime factorization of n; that 
is, the two primes p and q are kept secret. These two values are necessary for decryption; 
thus, they are the private key. 

The enciphering process is described in (f). Anyone knowing the value of n can send mes- 
sages. Now, in order to decipher, we must solve the congruence 

C = (mod n) 

for the plaintext P. We know from previous work that these solutions are obtained by form- 
ing the two congruences 

C = P^ (mod p) 

C = P^ (mod q) 

and solving them. We then combine these solutions using CRT to obtain solutions for P. Thus, 
we can only solve (f) for P by factoring the modulus n=pq (at least, no other way to solve 
these congruences is known). This is why the prime factors of n are kept secret. Only the 
individual possessing them can decipher. From proposition 3 1 , we get the solution(s) to (f) 
as 


P = ±{zqqp ± wpp^') (mod n) 

where z = w = qp is an inverse of q modulo p, and p^' is an inverse of p 

modulo q. 

The obvious drawback to this method is that solving such congruences can produce four 
distinct square roots P for C. That is, it reports four possible plaintext messages during the 
decryption phase. If the message is text, it is easy to identify the correct one; it’s the one that 
doesn’t look like garbage! However, if the message is some type of binary stream, for exam- 
ple, the messages must be tagged in some way so this tag will reappear in the decryption 
process. 

Why is it that we can reveal the value of n to everyone? We know that if someone man- 
ages to factor n into its prime factors p and q, our cryptosystem and we will be, metaphor- 
ically, up the creek without a paddle! Anyone knowing p and q can decrypt; the question is, 
how easy is it to factor nl If n is the product of two sufficiently large primes (say a few 
hundred digits each), then it is nearly impossible to factor n in a reasonable period of time. 
In fact, it will take somewhere on the order of a few billion years! We may find this hard to 
believe since we routinely factor integers in our math classes, but we simply don’t appre- 
ciate the size of the numbers involved here. Indeed, factoring has become a huge study 
involving many techniques, some of which we shall study in upcoming chapters. 

jixAMPLE. To see how the Rabin cipher works, we use the ordinary alphabet A = 00, B = 0 1 , 
. . . , Z = 25. We will use a block size of four characters. With our choice of alphabet and 
block size, the largest possible block corresponds to ZZZZ = 25252525. We must pick a mod- 
ulus n greater than this, and furthermore, n must be the product of 2 primes congruent to 3 
modulo 4. Let p = 69 1 1 and q = 6947. (You may wish to verify that p and q are both primes 
of the form Ak + 3.) These two values are the private key, and must not be made public. We 
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then compute n = 6911 • 6947 = 48010717. The value of n can be made known to anyone, 
and in fact is necessary for encryption. 

We wish to encipher the message 

SHOOT NOW GEEK 

which we will regroup into blocks of four letters each, 

SHOO TNOW GEEK 

then convert the characters into their numerical equivalents. Leading zeros are important: 
18071414 19131422 06040410. 

Notice that should our messages not be evenly divisible into blocks of size 4, we should 
use some type of padding scheme. We proceed to encrypt the first block: 

180714142 

= 1339280 (mod 48010717) 

This residue is the first ciphertext block. The second block we encrypt as follows: 

191314222 

= 22338923 (mod 48010717) 

and the third as: 

C ^ 60404102 

^ 40412478 (mod 48010717) 

The transmitted enciphered message is the sequence of numbers 
01339280 22338923 40412478. 

Now, if you have done the job right and haven’t told anyone about the two secret num- 
bers, p = 6911, and q = 6947, you should be the only individual able to decrypt. (Of course, 
in this example, n = 48010717 is easily factorable into n = 6911 • 6947; in reality we would 
use a much larger block size, and much larger primes.) To decrypt the first enciphered block, 
you must solve the congruence 

1339280 = p2 48010717) 

for P. Using the Chinese Remainder Theorem, we derive the four roots 
^ p ^ 18071414 (mod 48010717) 
p ^ 16274554 (mod 48010717) 

P = 29939303 (mod 48010717) 

P = 31736163 (mod 48010717). 
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The correct root is marked. We decrypt the second block by solving 
22338920 = (mod 48010717) 

for P. We get the following roots, with the correct one again marked: 

p ^ 39784853 (mod 48010717) 

P ^ 28879295 (mod 48010717) 

P = 8225864 (mod 48010717) 

^ P^ 19131422 (mod 48010717). 

We solve this third congruence 

40412478 = P^ (mod 48010717) 
for P to decrypt the third block. The roots we obtain are: 

p ^ 36711428 (mod 48010717) 

^ p^ 6040410 (mod 48010717) 

P ^ 11299289 (mod 48010717) 
p ^ 41970307 (mod 48010717). 

You can surely see the problem of deciding between four roots during decryption. In this 
case, deciding was easy because of our alphabet (no character > 26). In general, how do we 
know which solution for P is the correct one? The answer is, if we didn’t write the message, 
we don’t know. The correct root may be any of the four roots, and there is no way of know- 
ing in advance which one it will be. This poses a problem for this cryptosystem: What if two 
(or more) roots could both be construed as a valid message? One solution may be to tag the 
blocks with special character(s) which do not otherwise appear in the messages. For instance, 
in our example we use only the characters A = 00 through Z = 25; we could use the num- 
ber 26 to tag the beginning of each block, as in: 

SHOO TNO’W GEEK 
converts to 

28705651 20676817 47296051. 

Now, in front of each block, we place the tag, 26: 

2628705651 2620676817 2647296051 

and encipher this message. Thus, the block size of the enciphered message is greater than 
that of the plaintext. This is not a problem; many cipher systems exhibit different plain- 
text/ciphertext block sizes. When we decrypt, the tags will reappear, which we then remove 
from the message and convert back to characters. Similar tagging schemes can be used for 
messages that use ASCII character encoding and Unicode. You should remember that some 
messages, however, are not text at all, but may be any type of binary stream whatsoever. 
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Careful planning is necessary to ensure that a tagging scheme will work properly; that is, 
will not cause confusion on the receiving end. We will soon discuss a type of tagging which 
is most often employed with Rabin cipher implementations. 


We actually have been rather presumptuous throughout this chapter, and we should cor- 
rect this now. The Rabin cipher says both primes p and q must be of the form 4k H- 3. A nat- 
ural question to ask now is, “OK, we know there are infinitely many primes, but are there 
infinitely many primes of the form Ak + 3?” This is important because we must be able to 
freely select such primes for this cipher. But what if such primes eventually “run out,” and 
we are left only with primes of the form 4A: H- 1 ? The next result assures us that this does not 
happen. 

PROPOSITION 33 There are infinitely many primes of the form 4k H- 3. 

Proof. First note that if we have any two integers both of the form 4k H- 1 , their product 
is also of the form 4k H- 1 , since if m = 4j + 1 and n = 4; H- 1 we have 

mn = (4j + 1)(4; -I- 1) = 16ji + 4i + 4j + I = 4(4/7 + i+j) + 1. (*) 

Hence, mn is also of the form 4k H- 1 (where k here is equal to 4ji + i + j). Given this, we 
now assume there are finitely many primes congruent to 3 modulo 4. Thus, we can list them 
in a finite sequence starting with the smallest prime congruent to 3 modulo 4, and pro- 
gressing through them in order to the largest, say pg = 3,pi = 1 ,P 2 = 1 1 . • ■ ■ > Fn- Now, con- 
sider the integer 

N=4p^2-- ■Pn + ^ 

which must contain a prime factor of the form 4k H- 3, for if not, its prime factors would all be 
congruent to 1 modulo 4, and hence their product N would also be congruent to 1 modulo 4, a 
contradiction. However, now note that 3 T A; for if 3IA, we also have 3I(A — 3) = 4p^2 ■ ■ ■ Pm 
another contradiction (since Pq = 3 does not appear in the sequence 4pj)2 - ■ ■ Pn)- Likewise, none 
of the other primes p, (1 < i < n) divides N, since if we have some p^lN, we then also have pi\{N 
— 4pj}2 - ■ ■ Pn) = 3, which is ridiculous because all of the primes pi(i=l,2, . . . , n) are larger 
than 3. Since no prime of the form 4k H- 3 in the list p^, p 2 , ... ,p„ can divide N, and N must 
have such a prime as a factor, we can only conclude that our assumption is incorrect. There must 
be infinitely many primes congruent to 3 modulo 4. ■ 

.2 WEAKNESSES OF THE RABIN CIPHER 

The Rabin cipher is quite secure, provided the proper precautions are taken. (Of course, the 
necessity of taking the proper precautions is true of any cipher.) As presented here, the Rabin 
cipher has certain weaknesses which can be exploited. We describe these weaknesses below. 

Chosen Ciphertext Attack A chosen ciphertext attack is when an adversary has 
the ability to pass a single ciphertext message (of his choice) through an individual’s 
decryption machine. The adversary may even have access to the decryption machine 
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himself, but this does not necessarily mean he has access to the private key; these values 
may be secured inside the hardware in such a way that their retrieval by unauthorized 
means is not possible. 

Suppose the Rabin decryption machine returns all 4 plaintext message values, and leaves 
it up to the application to decide which message is correct. If the Rabin decryption machine 
works this way, the analyst can factor n. To see this, suppose the analyst chooses a random 
integer, say z, and encrypts it using the public key value n: 

C = (mod n). 

He then runs this ciphertext C back through the decryption machine, and receives 4 mes- 
sages in return. One of the returned values will be congruent to z modulo n, and another will 
be congruent to — z modulo n. However, the other 2 roots, say r and r', are congruent to nei- 
ther z nor — z modulo n. Take either root, say r; he can derive one of the prime factors of n 
by simply noting that since z ^ r (mod n), n -X {z — r), and so 

(z — r,n)^ n. 

But if he can also show that z — r and n are not relatively prime, he will then have found 
a nontrivial divisor of n\ that is, p or q. He can do this in the following way; note that n can- 
not divide z + r = z — (—r) since z^ —r (mod n). Hence, n divides neither z + r nor z — r. 
However, since z^ = (mod n) he has 

n I (z^ - r^), or n I (z H- r)(z - r) 

which implies n is not relatively prime to z ~ r. Thus, (z — r, n) yields a nontrivial divisor 
of n\ namely, p or q. 


AMPLE. Here we show a chosen ciphertext attack on Rabin. The adversary does not know 
the first two values p and q listed here; she only knows n, the product of p and q. She sub- 
mits a message m to the decryption machine and gets four roots: Xj, X 2 , x^, and X 4 . She is inter- 
ested only in a root congruent to neither m nor —m modulo n. The first root, Xj, is such a 
root. She calculates {m — Xi, n), and in this case, obtains the factor q. She then derives p by 
taking p = n/q. 

p is unknown to adversary: 

P = 

179769313486231590772930519078902473361797697894230657273430081157732675 

805500963132708477322407536021120113879871393357658789768814416622492847 

430639474124377767893424865485276302219601246094119453082952085005768838 

150682342462881473913110540827237163350510684586298239947245938479716304 

835356329624224137859 

q is unknown to adversary: 

q = 

359538626972463181545861038157804946723595395788461314546860162315465351 

611001926265416954644815072042240227759742786715317579537628833244985694 
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861278948248755535786849730970552604439202492188238906165904170011537676 
30136468492576294782622 1 08 1 65447432670 1 02 136917259647989449 1 876959432609 
6707 1 2659248448276687 

n=pq is public: 


n = 

646340121426220146014297533773399039208882053394309680642606908550493102 
777357817863944028230458269273774359218437960389882391183009818421901763 
047728965662412617547346019921835003955007793042135921152767681351365535 
844372852395123236761886769523409411632917040726100857751517830821316172 
151047982478607716803918058340827477683169176315227971638380003141234015 
213715286981934574126958310812212353843734392842382104560615275941849712 
736764525520559801471208444488841303619868703237828364738114662819239227 
238184943188233259835607113670605755573747578481214665113626049865412769 
4383482536657973 1 809108470421496863793 1 33 . 

Here is the bogus plaintext message that the adversary creates: 


m = 

327562836508236509237590237590823750923875098275908237590827359082375908 

723095873209875093285790328750932875093248750983275098327509832759082375 

098370957309287509328750923858723658972365892365930275094327590342857326 

589726598235698236598235689265892365095780936723985689236598236598236598 

236598236598256982569823569826539823659826985273209568923658923793286598 

2365982365987263986598236589726895698236598236598723658972 . 

The adversary computes the ciphertext by squaring the plaintext modulo n, and submits 
this to the decryption machine: 

C = 

633117525812174963141726511411569613510692954921413433904834216758854296 
633124876624725803389226024659872532640785232933916621224271521661591779 
805056806132874825319189837524810853175640040181499810175228697753511769 
733199644184786773309701377090720855844334771741032864292654831554262834 
830106099159752454122074338825214233151941406426968586422774039868803500 
958440877983431882318911204475101540253926424708618519209984525553968321 
269537413569633044293116969006410634311794364957784418800457585030758560 
064753995190942293115578955198138212298271399040518748965782046565242764 
022 176873403735774342 1 7 1 96605 1 68494458628 . 

The decryption machine calculates and returns four roots to the adversary (knowing p and 
q you should be able to do this yourself and verify these calculations): 


^ 1 = 

136581210291743377386869067901142217233939214683424267658172999911458881 
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101371791334898587390563770149554181160653931381289940174632065720864984 
1 6070571705314011152928769000337192325260392980183091752907203 1 239306598 
040700753365794505657513929226515691686332665760750657196364168456902823 
203050625077910855586397879032295214458991406870906366079175118986933410 
93723894495064925648985272373453897 1811075264323 866647349340 157867181964 
926088594958034247340186513722802386107673559315549871858881556554492677 
028840739965027 1 67600998 10207722 110516129854911652071 87079372969 1 2 1 66955 
06923066755098517382626285867590850161814 


-«2 = 

646340121426220146014297533773399039208882053394309680642606908550493102 

777357817863944028230458269273774359218437960389882391183009818421901763 

047728965662412617547346019921835003955007793042135921120011397700541884 

920613828636040861669499259695818587873834304817863266879208243500328662 

822468949603514429294593183242499967850418193039319734128542907410305264 

280840194596062208229721721575619326334301633808096371901642616118279889 

076940956593970564961630350816442734696208879578004704914454839159413528 

981202586205579277469624415143284798681381686101886005289966226205540129 

57236588776852836110871872184898140134161 


^3 = 

509758911134476768627428465872256821974942838710885412984433908639034221 
675986026529045440839894499124220178057784029008592451008377752701036778 
8870232486092725060180583299 1 8463080702403863240305003623695650112058937 
803672099029328731104372840296893719946584374965350200555153662364413348 
947997357400696861217520179308532263224177769444321605559204884154300604 
276476342031285317637105587077673382032659128518515457211275118074667747 
810675930562525554131021930766038917512195143922278492879233106264746550 
209344203223206092234609011593384650412449029364693946405688752953245814 
36911758611481214426482184553906013631319 


X4 = 

327562836508236509237590237590823750923875098275908237590827359082375908 

723095873209875093285790328750932875093248750983275098327509832759082375 

098370957309287509328750923858723658972365892365930275094327590342857326 

589726598235698236598235689265892365095780936723985689236598236598236598 

236598236598256982569823569826539823659826985273209568923658923793286598 

2365982365987263986598236589726895698236598236598723658972 . 


Two of these roots will yield a nontrivial divisor of n. We begin with Xi by calculating 
(m — Xi, n). 



10.2 Weaknesses of the Rabin Cipher 189 


(m — Xj, n) = 

359538626972463181545861038157804946723595395788461314546860162315465351 
611001926265416954644815072042240227759742786715317579537628833244985694 
861278948248755535786849730970552604439202492188238906165904170011537676 
30136468492576294782622 1 08 1 65447432670 1021369 17259647989449 1 876959432609 
670712659248448276687. 

This is certainly not a trivial divisor of n. We have found one of its prime factors, and in 
this case, we found q. To find p, the adversary simply divides nhy q (of course). 


p = nlq = 

179769313486231590772930519078902473361797697894230657273430081157732675 

805500963132708477322407536021120113879871393357658789768814416622492847 

430639474124377767893424865485276302219601246094119453082952085005768838 

150682342462881473913110540827237163350510684586298239947245938479716304 

835356329624224137859. 


You will be asked to write a program to execute such attacks in Java. A slight modifica- 
tion to the chosen ciphertext attack yields the adaptive chosen ciphertext attack, described 
below. 

Homomorphic Property — Adaptive Chosen Ciphertext Attack Note that 
the Rabin cipher has the following behavior: If we encrypt a plaintext message P to C, note 
that if we separate P into 2 parts, say m and m*, which individually encrypt to c and c*, 
respectively, we have 

P^ = = cc* = C (mod n). 

This is referred to as the homomorphic property of the Rabin transformation. This can 
be exploited to employ an adaptive chosen ciphertext attack on this cipher. This attack is 
when a cryptanalyst has access to the decryption machine, as in the chosen ciphertext attack, 
but does not have total freedom to choose any message. That is, suppose the analyst chooses 
an integer z and computes 

C = (mod n), 

but the decryption machine has been instructed to reject this message. The analyst must 
then “adapt” by trying to disguise the message C as another message. She can do this by 
selecting a random integer x relatively prime to n, and then computing 

C* = Cx^ (mod n) 

and submitting the message C* to the decryption machine. Now, note that 

Cx^ = zV = (zxf (mod n) 
by the homomorphic property, and so 

C* = (zx)^ (mod n). 
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Thus, the decryption machine will return 4 square roots modulo n of C*, say S 2 , 

Sn- One of these 4 values will be congruent to zx modulo n, and another will be congruent 
to —zx modulo n. However, the remaining 2 roots will be congruent to neither zx nor —zx 
modulo n. Choose one from the latter category, say and compute Six' where x' is an 
inverse of x modulo n. This value s,x' is congruent to neither z nor — z modulo n, and can 
be used in the same manner as the chosen ciphertext attack described previously to obtain 
a prime factor of n. 

Redundancy One solution to the chosen ciphertext problem and the adaptive chosen 
ciphertext problem is to ensure that the decryption machine returns only the correct plain- 
text message and withholds the other 3 roots. We can do this by padding with redundancy. 
For example, we can pad each block with 8 characters, where these characters are the first 
8 characters of that block. Using this, the decryption machine will be able to distinguish the 
correct root from the other roots, as (with very high probability) only one root will possess 
the required redundancy. 

Another form of redundancy is to append a “digest” of each block. A digest, in this case, 
is a fixed-size compressed version of the block. See Chapter 16 on cryptographic applica- 
tions for more information about message digests/hashes. 

Now, if an adversary computes an enciphered message from some random plaintext mes- 
sage z to the decryption machine, it will only return the correct root z, giving him no new 
information. This is also the case even if he attempts to disguise the message in the manner 
described using an adaptive chosen plaintext attack. 

Weak Primes If the primes p and q for the Rabin cipher are not chosen carefully, the 
Pollard p — I method can be used to factor n (see Chapter 12 on factorization techniques). 
Specifically, p (also q) must be chosen so that p — 1 does not consist entirely of small fac- 
tors. 

For example, consider the prime p = 10888869450418352160768000001 = 27! -H 1. Then 
p — 1 = 271, and so the largest factor of p — 1 is 27 — a very small integer when compared 
to p. The Pollard p — 1 method of factorization uses this fact to find the prime p. One solu- 
tion to this problem is to choose p so that p = 2t+ 1, where t is prime. Then we have p — 1 
= 2t, and so p — 1 has a large prime factor, namely t. 

For similar reasons, we also want to avoid primes p such that pH-1 consists entirely of 
small factors. When we generate primes with the intent of avoiding these weaknesses to 
factoring methods, we call such primes strong primes. 

10.3 STRONG PRIMES 


Definition 

A prime number p is said to be a strong prime if integers r, s, and t exist such that: 

(a) p — 1 has a large prime factor r 

(b) p H- 1 has a large prime factor s 

(c) r — 1 has a large prime factor t. 
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Prime Generator — Cordon's Algorithm This algorithm produces strong primes. 
When we produce integers that are the product of large strong primes, these integers are 
highly resistant to factoring methods. 

1. Generate two large random primes s and f of approximately the same size. (Use an appro- 
priate random number generator and primality test; see Chapter 1 1 on primality testing.) 

2. Choose an integer i*, then find the first prime r = 2it+ 1, where i = i*, i* + I, i* + 2, . . . . 

3. Compute z = the Inr of (mod r). 

4. Calculate p* = 2zs — 1. 

5. Choose an integer k*, then find the first prime p =p* + 2krs, where k = k*, k* + 1,^*H- 

2, . . . . 

6. /? is a strong prime. 

To see that p is indeed a strong prime, note that by FLT we have 5 '“' = 1 (mod r). Thus, 
p* = 2zs — 1 = - j— 1 = 2-1 — 1=1 (mod r), and 

p* = 2zs — 1 = — 1 (mod i'). 

This immediately gives us what we need: 

(a)/7 — \ =p* + 2krs —1=0 (mod r)', ^ r = 2it H- 1 is a large prime factor ofp—\ 

{h)p + \ = p* + 2krs H- 1 = 0 (mod i'); ^ 5 is a large prime factor of p H- 1 
(c) r — 1 = 2it = 0 (mod t); ^ t is a large prime factor of r — 1. 
and we establish that p is a strong prime. 


HXAMPLE. The following demonstrates finding a strong prime using Gordon’s algorithm. First 
we generate s and f, two primes of about the same size. 

s = 

649257745123755764564298232583183358105018398492925296182752230219795813 

315606717730413881037389513739598704819556327738654940708820981641744821 

701213543 

t = 

4592298 1 635 193614540940767220687 1 372046265685062392744762039282823998800 
862208949389232433994508929505925943890562601701058936427954733705485851 
046387127 

Now, we look for the first prime r of the form 2it - 1 - 1, where i begins at 1. In this case, 
we get: 

r = 

596998761257516989032229973868932783660145390581110568190651067671198441 

120871634206002164192861608357703727057731382211376617356341153817131606 

36030326511 
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Now, we compute z, the Inr of ^ modulo r. 


z = 

665230492072090237201496662581252085144747143014640731643715847110536584 

592217084417720567412260139505217601163389933696724796030966764997614576 

5260549183 

We compute p* as 2zs — 1 : 

p* = 

346084307903560664425684232051486131077315397498633595581688753937826631 

433322997849280623926140157753141972793817951619368163028361404889048627 

525470705306956391991968534559962944356650024630432157045548591633214550 

857822086145412115926942830031833676001801967113277394757571799217642094 

28697654507474370737 

We search now for the first prime p of the form p* + 2krs, where here k starts with the 
value 1 . This yields a strong prime, and, in this case, we get: 

P = 

13685955099102335767423383775 1193444637 145211672745580838508211454534324 
823686210424604005719046718052981484190707562992713417956940416543355152 
315219159854859002395777579635185385039269578229009584384066590554210488 
182334714799737615710384650453125076807810092764555005612188062536100529 
7295821927389722 1 3 1 80427 


Java Aigorithm 1 have created a PrimeGenerator class for the purpose of generating 
strong primes. One creates a PrimeGenerator object, then calls a getStrongPrime() method. 
The primes generated by this method are of sufficient size and quality to thwart modern 
factorization methods. 

import j ava . security . * ; 
import j ava . math . * ; 
import j ava. util ; 
public class PrimeGenerator { 


//To find primes, we first specify the minimum bit length 

//The methods will produce primes 1 to 3 bits larger than requested, but never 

// smaller 

Int minBitLength; 


//certainty is the number of primality tests to pass 
int certainty; 


SecureRandom sr; 


public PrimeGenerator ( int minBitLength, int certainty, SecureRandom sr) { 
//The bit length of the prime will exceed minBitLength 
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if (minBitLength<512 ) throw new IllegalArgumentException 
("Strong/Safe primes must be at least 64 bytes long."); 

//Set the values 
this .minBitLength=minBit Length, ■ 
this . certainty=certaintY; 
this . sr=sr ; 

} 

//This method finds and returns a strong prime 
public Biginteger getStrongPrime ( ) { 

//The strong prime p will be such that p+1 has a large prime factor s 
Biginteger s=new Biginteger (minBitLength/2-8 , certainty , sr) ; 

//t will be a large prime factor of r, which follows 
Biginteger t=new Biginteger (minBitLength/2-8 , certainty , sr) ; 

Biginteger i=BigInteger . valueOf ( 1 ) ; 

//p-I will have a large prime factor r 

//r is the first prime in the sequence 2t + l, 2*2t + l, 2*3t + l, . . . 

Biginteger r; 
do { 

r=BigIntegerMath.TWO.multiply (i) .multiply (t) .add(BiglntegerMath.ONE) ; 
i=i .add{BiglntegerMath.ONE) ; 

} while (! r. isProbablePrime (certainty )) ; 

Biginteger z=s .modPow (r . subtract (BigIntegerMath. TWO) ,r) ; 

Biginteger pstar=BigIntegerMath. TWO. multiply ( z ) .multiply(s) . 

subtract (BigIntegerMath. ONE) ; 

Biginteger k=BigInteger . valueOf ( 1 ) ; 

//The strong prime p is the first prime in the sequence 2rs+p*, 2*2rs+p*, 
//2*3rs+p*, . . . 

Biginteger p=BigIntegerMath. TWO. multiply (r) .multiply(s) .add(pstar) ; 
while (p .bitLength ( ) <=minBitLength) { 
k=k. multiply (BigIntegerMath. TWO) ; 

p=BigIntegerMath. TWO. multiply (k) .multiply(r) .multiply(s) .add(pstar) ; 

} 

while ( !p. isProbablePrime (certainty) ) { 
k=k.add(BiglntegerMath.ONE) ; 

p=BigIntegerMath. TWO. multiply (k) .multiply{r) .multiply(s) .add(pstar) ; 

} 

return p; 



An applet that tests the getStrongPrime() method follows; it is called TestPrimeGenera- 
torApplet, and can be ran from the book’s website. A screen shot of the applet is shown in 
Figure 10.1. 
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FIGURE 10.1 



This applet also allows you to generate a probable prime using what is called the 
Rabin-Miller test. We have been using the constructor provided in Java from the Biglnte- 
ger class: 


public BigIntegerCint bitLength, Int certainty, Random r). 


This constractor generates random Bigintegers of the specified bitlength, until one passes 
a primality test for a certain number of trials. The probability that this number is prime is 


1 




This constractor does not use the Rabin Miller primality test. However, we will cover the 
Rabin-Miller test in the chapter on primality testing. This applet also allows you to gener- 
ate what are called safe primes, suitable for other types of cryptosystems. The PrimeGen- 
erator class has a getSafePrimeAndGenerator() method, and a getSafePrime() method. Look 
in the chapter on exponential congruences for the definitions of safe prime, and generator. 

There are other properties a prime may have that would make it vulnerable to certain fac- 
toring algorithms; see the chapter on factorization techniques for more information. 


Square Root Problem The Chinese Remainder Theorem can help an adversary if 
Rabin is used to send the same message to multiple entities. Suppose someone wants to 
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send the same message P to 2 entities, having moduli n, and n*. They would compute the 
Inr’s of 

C = (mod n) 

C* = (mod n*). 

Since it is very likely that these 2 moduli are pairwise relatively prime, one can easily 
compute a simultaneous solution modulo M = n ■ n* for x to the set of congruences 

jc = C (mod n) 

x= C* (mod n*). 

Since P^ <n ■ n*, by CRT we must have x = P^. Thus, by merely taking the normal pos- 
itive square root of x, one can obtain P. 


Example, in this example, we will use parameters which would be feasible in actual prac- 
tice. I think this is important for examples in cryptanalysis, to give you an idea of the scope 
of the problem. Suppose we wish to send the message 

m = 

327562836508236509237590237590823750923875098275908237590827359082375908 

723095873209875093285790328750932875093248750983275098327509832759082375 

098370957309287509328750923858723658972365892365930275094327590342857326 

589726598235698236598235689265892365095780936723985689236598236598236598 

236598236598256982569823569826539823659826985273209568923658923793286598 

2365982365987263986598236589726895698236598236598723658972 

to two different entities using Rabin. The first entity uses the public modulus 


n = 

646340121426220146014297533773399039208882053394309680642606908550493102 
777357817863944028230458269273774359218437960389882391183009818421901763 
047728965662412617547346019921835003955007793042135921152767681351365535 
844372852395123236761886769523409411632917040726100857751517830821316172 
151047982478607716803918058340827477683169176315227971638380003141234015 
213715286981934574126958310812212353843734392842382104560615275941849712 
736764525520559801471208444488841303619868703237828364738114662819239227 
238184943188233259835607113670605755573747578481214665113626049865412769 
4383482536657973 1 809108470421496863793 1 33, 

and the second uses the modulus 

n* = 

827315355425561786898300843229950770187369028344716391222536842944631171 
5550 1 800686584835613498658467043 1179799600589299049460714252567580034256 
701093076047888150460602905499948805062409975093933979075542632129747885 
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880797251065757743055215064989964046890133812129409097921942823451284700 
353341417572617870433870197661339699702384692398942940091526767537122407 
2946225492282228797405663320 1825081 263745 11091 62228995 890265099106862 175 
129783360538190048124955153727405933205488194213497935668384446131585719 
769748108 1 2589556326080228965524 1 774630887967226547 1 8079206243270 1 705774 
9253168131337219010124364276404953144761357. 

To compute the ciphertext C = rrP' (mod n) for the first entity, we obtain 

C = 

633117525812174963141726511411569613510692954921413433904834216758854296 

633124876624725803389226024659872532640785232933916621224271521661591779 

805056806132874825319189837524810853175640040181499810175228697753511769 

733199644184786773309701377090720855844334771741032864292654831554262834 

830106099159752454122074338825214233151941406426968586422774039868803500 

958440877983431882318911204475101540253926424708618519209984525553968321 

269537413569633044293116969006410634311794364957784418800457585030758560 

064753995190942293115578955198138212298271399040518748965782046565242764 

02217687340373577434217196605168494458628, 

and we apply the transformation C* = (mod n*) to obtain the ciphertext for the second 
entity: 

C* = 

394135248113853837239995785378155119660436161585799942724612487297884404 
632745939484613684148169252487434528179060956986090118025870479973165415 
807243287982752578261206149474414115340822662855315835762700720048234558 
712444543617330299373057364169102752460252141023980586511691405908268083 
588138459388456857535076380649491418151420595527403167925459720523465715 
021500179306273478205638799251490159856470610252397459099946884001280830 
252629399799543352087268619877293435351018907962347103035620025259332348 
275482523386757262089321203787452631835007817304852012889299139015826664 
750136364110090814992374452422470738855529 1 . 

An eavesdropper captures both messages C and C*, and knows their plaintext equivalents 
are the same. He has access to the public moduli n, and n*, so he simply needs to find the 
simultaneous solution x to 


X = C (mod n) 

X = C* (mod «*). 

CRT tells him exactly how to compute this solution; it is 

X = Cn*{n*)’ + C*nn' (mod n ■ n*) 

where («*)' is an inverse of n* modulo n, and n' is an inverse of n modulo n*. Both of these 
values are easily computable using the extended Euclidean algorithm. The values he obtains 
for n' and («*)' are 
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n' = 

103263461981882861062786663752777462175094289042793826073777660932064239 
421442774128148179956149383630351472101383901416222437739428120537496844 
245199079442668017154702976062842089841568938071479001427994543188554221 
115276088728567455684565042964557431421107222436249019878609266108175858 
124361197755381114937973572181548712613409747227913581319056985394852398 
084487124970716064947426472124245378223284977468290053203588152259348515 
625046935987244280800174540272797917758248171 25434 1 20769029806248 1216167 
528333934836121894789925388081585752480608066799998740549915224135659234 
59 1 2472 1 094404 1 143033 1 08675792907161 1556082, 

and 

(n*y = 

56566554 1752874 1 608089954527 1 654 1 646884589640079627004022468 1 1 09473 17915 
729355650576328262639716563312562271639231787408458611699081599251982353 
481167184847828229145234319872739621266282060173792951287146944485307550 
598063408075929912008320329707348918335177023197781310971354341674303782 
99 13907967322 1 622006870266072664522352582560 1 2044622807827949568363561 23 
348142830696396398621571457726481064542977798874551230913235978372189710 
059519841017844537104921977286499738353103100370267565323698898530108734 
170588312885569924743018308407355426370867568374322691255471122749516099 
67399232498190089468651608956593592819968. 

He then combines these values using the CRT formula to obtain 

= X = 

107297411861321680907514861384339217765295082808206114325123089381136015 
524701635341161871377007555148580336419555532871152609983017836612563487 
591327437743663832845605641026043394022012578434187301314894547456727730 
257625586451817991411251446477064513852860540591300380302198128398350095 
008517337820821682833970271741889770829366774041010862939865154136215583 
576547154338003222682025233175666362486458726928146033065226496988099344 
946501245683372299902380475067363053365780390691996437208014464278584234 
314944962513348436839550335887834620312109611730644090035255616166589958 
290436903597929892282050969055549903864227200176485400546369403199956019 
817111464120200227052607334143654876555969639885312017068888815665743235 
084504551643813143206463824739078205795097842594282570823541551058657452 
56509992538572757424398951566596819756096784 (mod n ■ n*). 

Since he knows is less than n ■ n*, x must in fact equal (rather than some residue 
of m^). He merely needs to compute the positive square root of x to regain the plaintext: 

m = Vx = 

327562836508236509237590237590823750923875098275908237590827359082375908 

723095873209875093285790328750932875093248750983275098327509832759082375 

098370957309287509328750923858723658972365892365930275094327590342857326 
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589726598235698236598235689265892365095780936723985689236598236598236598 

236598236598256982569823569826539823659826985273209568923658923793286598 

2365982365987263986598236589726895698236598236598723658972 . 

Note that nowhere did the eavesdropper have to use any private information of either of 
the intended recipients! You will be asked to program this attack in Java. 


A similar situation to the repeated message problem occurs if the message P is small 
when compared to a modulus n. For, in this case, it may turn out that is still less than n. 
Thus, the ciphertext C = P^, and one can derive the plaintext P by simply taking the posi- 
tive square root of C. 


I£xAMPLE. Suppose we want to send the message 
P = 

2390 1 84792 1 064892 176487658947562 1934521 754012450100521 34527 164521 635472 1 
645782153478215784521784587216547821547264765686587157161289768792648947 
56345234 

to someone using Rabin. Their public modulus is 


n = 

646340121426220146014297533773399039208882053394309680642606908550493102 
77735781786394402823045826927377435921843796038988239 1 1 8300981 8421901763 
047728965662412617547346019921835003955007793042135921152767681351365535 
844372852395123236761886769523409411632917040726100857751517830821316172 
151047982478607716803918058340827477683169176315227971638380003141234015 
213715286981934574126958310812212353843734392842382104560615275941849712 
736764525520559801471208444488841303619868703237828364738114662819239227 
238184943188233259835607113670605755573747578481214665113626049865412769 
43834825366579731809108470421496863793133 . 

By applying the enciphering transformation, we obtain the ciphertext 

C = P^ = 

571298334041714108108345643190462228642901026856795346055535425667278441 
850934824793736487150968102492632521428140126182308141623561315311127797 
0937055455 1 1982088097 1 69004995 193640628781 3097 1 869830920 1 990365 156015487 
8 14518004431530143866988010770332236034011312080519927953939004687628572 
888504994514756 . 

The ciphertext is still smaller than the modulus; thus, all one needs to do is take the 
square root of the ciphertext message to derive P: 


P = ^C = 

2390 1 84792 1 064892 176487658947562 1934521 754012450100521 34527 164521 635472 1 
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645782153478215784521784587216547821547264765686587157161289768792648947 

56345234. 


A remedy to this problem, called salt, is described shortly. 

Forward Search Attack This attack is useful when the number of possible messages 
is small or predictable in some way. If this is the case, an adversary simply needs to encrypt 
all suspected messages (using public information) until a result is obtained that matches 
some ciphertext. 


10.4 SALT 

Salt simply refers to adding random data to the end of each block. This helps solve certain 
problems; in the case of the Rabin cipher, it certainly foils the forward search attack, as the 
messages are no longer predictable. It also solves the square root problem for small mes- 
sages, if enough salt is used. To solve the square root problem posed by using the Chinese 
Remainder Theorem, we simply salt each block of each message differently (randomly) 
every time the message is sent. Thus, no 2 entities will receive the same message because 
of the random data tagged on the end. One who has the decrypting keys knows how much 
salt has been added (this is agreed on beforehand), and so removes it after decryption. At 
current levels of computing power, at least 64 bits of salt should be used (per block). 


Example. To foil a small message attack, we will add some salt to the small message in the 
previous example. We will encipher using the same modulus. 

P = 

2390 1 847921064892 1 76487658947562 1934521754012450100521 34527 164521 635472 1 
645782153478215784521784587216547821547264765686587157161289768792648947 

563452343204985729038750923487509238750932759063428568293658792658926502 

345732904573029875903245790234592437590279023457902709270927908270927309 

827032198749812648917264891276489127648912764982136489721634897126984621 

8946 . 

By applying the enciphering transformation, we now obtain the ciphertext 
P^^C = 

362553151149932290693370397428556816309612860797213471999021301363970532 
507759737177005742323020709244386843096963830437628218686278812350788061 
965619398198903437544832410128148805922800361293406046652128918390329775 
694836555904101302789331938629983720911345280340650671106530527991109007 
492490780768265310413373267274165164009328331195722273832191470040406895 
818936053712468645971674045864005833135144807356844179852541177298341854 
811520524357320450008042254589982743442715951668881225417413416712356390 
00053349 1 929 1 0349 1 1 30866508303679 188401345886873831 4676627 1 2090878394709 
91344857388135329931312052597944482054859 (mod n). 
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The plaintext is now large enough so that when squared modulo n, we obtain a residue 
different from P^. An attacker is now forced to compute the modular square root. 


Java Algorithm I have written methods to encrypt and decrypt using Rabin. To ensure 
only the correct message is returned out of the four possible roots obtained in the decryp- 
tion phase, I add 4 bytes of redundancy to the beginning of each block; that is, before a 
block is encrypted, the first 4 bytes of the blocks are repeated at the front. (See Figure 10.2.) 

Then, to protect against attacks commonly used on Rabin ciphers, 1 add 4 bytes of salt 
to the head of each block before encrypting it. This means a different ciphertext will be pro- 
duced each time the message is encrypted. (See Figure 10.3.) 

Of course, after decrypting, the receiver knows these bytes are simply random data, and 
throws them out. 

I also use PKCS#5 padding, and so that the addition of redundancy and salt does not 
further restrict the block size, I do not include it in the padding. Thus, the maximum plain- 
text block size (including salt and redundancy) is 255 -H 8 = 263 bytes. (See Figure 10.4.) 
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public class Ciphers { 

public static byteL] rabinEncipherWSalt (byte [ ] msg, Biginteger n, SecureRandom sr) 

{ 

//Compute the plaintext block size-take 4 bytes salt and 4 bytes redundancy 
//into account 

int blocks ize= (n . bit Length { ) -1 ) /8 ; 

if {blockSize<12 ) throw new IllegalArgumentException 
("Block size must be >= 12 bytes"); 
byte[] [] ba=block(pad(msg,blockSize-8) ,blockSize-8) ; 

//Begin the enciphering 

for (int i=0 ; i<ba . length; i++ ) { 

ba [i] =addRedundancyAndSalt (ba [i] ,sr) ; 

ba [i] =getBytes (new Biginteger (1, ba [i] ) .modPow(BigIntegerMath.TWO, n) ) ; 

} 

//Return to a ID array. The ciphertext block size is one byte greater than 

//plaintext block size. 

return unBlock (ba, blockSize+1 ) ; 


public static byte[] rabinDecipherWSalt (byte [ ] msg, Biginteger p, Biginteger q) { 
//Compute inverse of p mod q, and of q mod p 
Biginteger n=p .multiply (q) ; 

Biginteger pinv=p .modinverse (q) ; 

Biginteger qinv=q. modinverse (p) ; 

Biginteger pexp= (p . add (BigIntegerMath . ONE) ) . divide (BigIntegerMath. FOUR) ; 
Biginteger qexp= (q. add (BigIntegerMath. ONE) ) . divide (BigIntegerMath. FOUR) ; 
//Compute the ciphertext block size 
int blocks ize= (n . bit Length ( ) -1 ) /8+1 ; 
byte[] [] ba=block(msg,blockSize) ; 

//Begin the deciphering 

for (int i=0 ; i<ba . length; i++ ) { 

//Get the four roots 

Biginteger terml=new Biginteger ( 1 , ba [ i] ) 

.modPow(pexp,n) .multiply(q) .multiply (qinv) ; 

Biginteger term2=new Biginteger ( 1 , ba [ i] ) . 

modPow ( qexp , n ) .multiply(p) .multiply (pinv) ; 
byte[] [] msgroot=new byte [4] [0] ; 

Biginteger sum=terml . add (term2 ) ; 

Biginteger dif ference=terml . subtract (term2 ) ; 
msgroot [0] =getBytes (BigIntegerMath. Inr (sum, n) ) ; 
msgroot [1] =getBytes (BigIntegerMath. Inr (sum. negate ( ) ,n) ) ; 
msgroot [2 ] =getBytes (BigIntegerMath. Inr (dif ference, n) ) ; 
msgroot [3 ] =getBytes (BigIntegerMath. Inr (dif ference .negate ( ) ,n) ) ; 
boolean)] isCorrectRoot=new boolean[4]; 
for (int k=0;k<4;k++) { 
isCorrectRoot [k] =true; 
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for (int j=4; j<8; j++) if (msgroot [k] [ j ] ! =msgroot [k] [ j+4] ) { 
isCorrectRoot [k] =false; 
break; 

} 

} 

boolean correctFound=false; 

for (int k=0 ; k<4 ; k++) if ( isCorrectRoot [k] ) { 
if { ! correctFound) { 
correctFound=true ; 
ba [i] =msgroot [k] ; 

} else { 

ba [i] =null; 

throw new IllegalArgumentExceptlon 

("Multiple messages satisfied redundancy requirement!"); 

} 

} 

if (! correctFound) throw new NoSuchElementException 
("No message satisfied redundancy requirement!"); 
ba [ i ] =removeRedundancyAndSalt (ba [ i ] ) ; 

} 

//Go from blocks to a ID array, and remove padding; return this 
return unPad (unBlock (ba, blockSize-9 ) , blockSize-9 ) ; 

} 

//Method to add redundancy and salt to blocks using Rabin 

private static byte[] addRedundancyAndSalt (byte [ ] b, SecureRandom random) { 
byte[] answer=new byte [b. length+8] ; 
byte[] salt=new byte[4]; 
random. next Bytes (salt) ; 

//Put salt in front 

System. arraycopy (salt , 0 , answer, 0,4) ; 

//Eollow with 1st 4 bytes of message-redundancy 
System. arraycopy (b, 0 , answer, 4,4) ; 

//Copy the message over 

System. arraycopy (b, 0 , answer, 8 ,b. length) ; 
return answer; 


private static byte[] removeRedundancyAndSalt (byte [ ] b) { 
byte[] answer=new byte [b. length-8] ; 

//Copy the message over 

System. arraycopy (b, 8 , answer, 0 , answer . length) ; 
return answer; 


//Other methods. . . 


} 
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Following is an applet called TestRabinCipherApplet, which demonstrates the Rabin 
cipher. It can be found on, and run from, the book’s website. (See Figure 10.5.) The applet 
requests you to enter a desired size for the modulus. Two strong primes are found, and the 
modulus is their product. 


FIGURE 10.5 
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You first type a plaintext message in the plaintext area, then click a button to encipher. 
Clicking this button again regains the plaintext. If you encipher again, you will see that an 
entirely different ciphertext is generated. This is, of course, because salt is used. 

Take note of the block sizes with Rabin; that is, the ciphertext block size is one byte 
greater than the plaintext block size. Why? This is easy to see if you recall that the message 
(as an integer) in a block must be less than the modulus. Suppose, for example, that the 
modulus (as a binary integer) is 26 bits long. We would then choose the plaintext block size 
as the largest byte smaller than 26 bits, or 3 bytes. However, once the encryption takes place 
on this block, it may produce a number as long as 26 bits (certainly greater than 3 bytes) in 
length; thus, the ciphertext block size needs to be one byte greater than the plaintext block 
size, or in this case, 4 bytes. 

Static Ciphers The Rabin cipher, like many other block ciphers, has a weakness in that 
it always maps the same plaintext to the same ciphertext. We call these ciphers memoryless, 
or static. Common plaintext in these cryptosystems can expose itself by appearing often 
(encrypted) in the ciphertext. When a block cipher is being used in this way, we say it is run- 
ning in electronic code book, or ECB, mode. 

A solution to this is to modify these ciphers so that a particular plaintext maps to differ- 
ent ciphertexts, usually depending on its position in the data. When a cipher is modified to 
behave this way, it is called a stream cipher. There are many ways to do this; the standard 
method for public key ciphers is called chaining. 

10.5 CIPHER BLOCK CHAINING (CBC) 

Cipher block chaining refers to a method of enhancing block enciphering. It employs a 
mask using exclusive-or at the bit level. You should be familiar with how an exclusive-or 
works, but we will review it here in Table 10.1. Suppose x and y are bits, and we represent 
the exclusive-or operation with the symbol ©. 

One should note that the © operation is commutative, and reversible, in the sense that if 
X, y, and z are bits, then 

z = X © y iff X = y © z iff y = X © z. 


ZSxAMPLE. Suppose x = 0, and y = 1 . Then z = x©y = 0©l = l. We can recover x by tak- 
ing z©y=l©l=0 = x. It should be clear to you that this is possible no matter what val- 
ues are used for x and y. For completeness, all possible values are in the Table 10.2; note 
that the appropriate columns match. 


X y X 0y 


0 0 0 
0 1 1 
1 0 1 
1 1 0 


TABLE 10.1 
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TABLE 10.2 



We will also use the 0 operator to denote the exclusive-or operation on quantities larger 
than a bit; for example, if X = . . . x„,Y = joji are two bit sequences of length n, 

then 


x0 y 

denotes 

Xi 0 y,- i = 0 , 1,2, . . . ,n. 

Now we can describe CBC, which uses exclusive-or in its operation. It can be used with 
any block cipher to change how enciphering is done. This is how it works: 

Before the first plaintext block Pi is enciphered, it is 0-ed with a block of random bits 
called an initialization vector, or IV. The IV does not need to be secret. The result of this plus 
operation is then enciphered; this produces the first ciphertext block Cj. 

Cl = E(Pi 0 IV) 

We do not specify which block enciphering transformation to use, because it doesn’t 
matter; CBC is intended to work with any block cipher. 

Subsequent plaintext blocks are 0-ed with the previous ciphertext block, then enciphered 
to produce the next ciphertext block. That is, 

C2 = £(P2®Ci) 

C, = E(P,^C2) 


C„ = £(P„0C„_i) 

It should be clear to anyone that this avoids the problem of identical plaintext blocks 
always mapping to the same ciphertext blocks, for any particular block will be enciphered 
differently depending on whether it is first, second, . . . , or last. 

Since 0 is reversible, and since enciphering transformations are intended to be reversible, 
we can recover the plaintext by simply doing what we did earlier in reverse. To decrypt the 
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first ciphertext block, we run it through the deciphering transformation, then © it with the 
IV; this yields the first plaintext block = D{Ci) © IV, since 

Z)(Ci) © IV 

= D{E{Pi © IV)) © IV 

= Pi © IV © IV 

= Pi©0 

= Pi 

We can then regain each subsequent plaintext block P„ because we just use the decryp- 
tion transformation, and the previous ciphertext block C,_i, 

D(C2) © Cl = D(EiP2 © Cl) © Cl = P 2 © Cl © Cl = P 2 © 0 = P 2 

£)(C3)©C2 = P3 


£)(C„)©C„_i=P„ 

Figure 10.6 shows a diagram showing CBC encryption: 

It should be clear that by reversing this operation, decryption coupled with CBC regains 
the plaintext. (See Figure 10.7.) 


FIGURE 10.6 


Cipher Block Chaining - CBC 


E = enciphering transformation 
+ = exclusive-or 


IV = initialization vector 
P(i) = i-th plaintext block 
C(i) = i-th ciphertext block 



FIGURE 10.7 


Cipher Block Chaining - CBC 


E' = deciphering transformation 
+ = exclusive-or i 


C(0) = IV 


IV = initialization vector 
P(i) = i-th plaintext block 
C(i) = i-th ciphertext block 






10.5 Cipher Block Chaining (CBC) 207 


I£xAIVIPLE. For simplicity’s sake, we’ll do an example of CBC using a simple shift Vigenere 
cipher with a block size of one byte. Since we are using a bitwise operation (namely, exclu- 
sive-or), we will be mapping bytes. Some numbers will be in base 2. 

The plaintext message is 

p = I LOVE YOU = [73, 76, 79, 86, 69, 89, 79, 85] = [01001001, 01001100, 01001111, 
01010110, 01000101, 01011001, 01001111, 01010101]. 

(The last quantity is the binary representation.) The key is 

k = CROAK = [67, 82, 79, 65, 75] = 

[01000011, 01010010, 01001111, 01000001, 01001011], 

and the initialization vector is one byte long, given in binary by 

iv= 10110010. 

(Throughout the rest of this example, all numbers will be represented in binary.) The first 
ciphertext block is enciphered as 

Cl = E(py © iv) 

= £(01001001 © 10110010) 

= £(11111011) 

^ 11111011 +01000011 (mod 100000000) 

^00111110 (mod 100000000) 

where we represent the enciphering transformation as £. The resulting ciphertext block is 
used as input for enciphering the next ciphertext block. This yields 

C2 =£(>2 ©Cl) 

= £(01001100 ©00111110) 

= £(01110010) 

^ 01110010 + 01010010 (mod 100000000) 

^ 11000100 (mod 100000000). 

The enciphering continues, with each block’s value dependent on the previous ciphertext 
block. 

C3= 11011010 
C4= 11001101 
C5= 11010011 
C6= 11001101 
C7= 11010100 
C8= 11010000 
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Some ciphers do not need to use chaining, for they are already stream ciphers. The fol- 
lowing public key cipher is a perfect example. 

10.6 BLUM-GOLDWASSER PROBABILISTIC CIPHER 

This is another public key cipher based on quadratic congruences, which uses a mask at the 
bit level with an exclusive-or operation. This cipher qualifies as a stream cipher, which 
encrypts the same block differently depending on its position in the plaintext. Note that 
Rabin and most of the other block ciphers presented thus far do not have this property; that 
is, they always map a particular plaintext to the same ciphertext, unless we employ some 
type of chaining. 

To generate keys for Blum-Goldwasser, one must choose two large primes, p and q, both 
congruent to 3 modulo 4, and let n = pq. At current levels of computing power, n should be 
at least 1024 bits in length. Then, using the extended Euclidean algorithm, find two integers 
a and b such that 

ap + bq= 1 . 

The public key is the integer n, and the private key is the 4 values a, b, p, and q. 

To encrypt a message (anyone can do this with the public key n), one does the follow- 
ing. 

1 . Let k be the largest integer not exceeding log 2 n, and let h be the largest integer not exceed- 
ing log 2 A:. Represent the plaintext message P as an array mim 2 ... m, of length t where 
each m, is a binary number of length h. 

2. Select a random square Xq modulo n. One can do this by selecting a random integer r 
between 1 and n — 1, then setting 

Xo= (mod n) (0 < Xq < n) 

3. Now, for ( = 1 to t (in order) do 

• Let Xj = X;_i^ (mod n) (0 < x,- < n) 

• Let Pi be the h least significant bits of x,. 

• Let C; = Pi © nil. 

4. Compute x,+ i = (mod n) (0 < x,+i < n) 

5. Send the ciphertext message C = C 1 C 2 . . . c, and the integer x,+ i. 

Note that only knowledge of n is required to encrypt. Now, to decrypt, the individual 
possessing the private key values a, b, p, and q proceeds as follows. 

1 . Let d^{(p+ l)/4)'+' (mod p - \) (Q<d<p-\) 

2. Let e^{{q+ l)/4)''"' (mod ^ - 1) (0 < e < ^ - 1) 

3. Let M = x,+ / (mod p) {0< u <p) 

4. Let V = x,+ i® (mod q) (0<v<q) 

5. Retrieve Xq by taking Xg = vap + ubq (mod n) (0 < Xg < n) 


10.6 Blum-Coldwasser Probabilistic Cipher 209 


6. Now, for i from 1 to ? do: 

• Let Xi = Xi-^ (mod n) (0 < x,- < n) 

• Let Pi be the h least significant bits of x,. 

• Compute nil = Pi ® C;- 

and the plaintext message P = mim 2 ... m, is regained. 

Why does this scheme work? In particular, how does the recipient retrieve the random 
value Xq chosen by the sender? Decryption hinges on this, for once the receiver computes 
Xq, she can compute each successive x,, and consequently compute each nii = pi 0 C;. First, 

observe that since x, is a square modulo n, that is, x, = x,_i^ (mod n), has a solution, then 

x, = x,^i^ (mod p) also has a solution (see the proof of proposition 31). Thus, we have 

= j (mod p). 

(This is called Euler’s criterion; you were asked to prove this in order to prove proposition 
30). Given this, note that 

^ (_,2)(p+1)/4 ^ ^ xr^^'\ - X, (mod p) 

In the same way, ^ (mod p) and hence 

(x,+ i<^41)/4)2 ^ 

Continuing in this way, we obtain 

M = = (x,+ i<^4i)/4y+i = (mod/?). 

We obtain a similar result for v: 

V = x,+{ = (x,+ /«4^>'4y+i = (mod q). 

Note that we have not yet obtained Xq; only 2 residues of Xq congruent to u and v mod- 
ulo p and q, respectively. We need the Inr of Xq modulo n, for this is Xq itself. To achieve this, 
we note that since 

ap + bq = I 

we have both of the following: 

bq=\ (mod p) 
ap = \ (mod q). 

Thus, using the above two congruences, we derive the two congruences 

vap -H ubq = Xq (mod p) 
vap + ubq = Xq (mod q) 
and hence, by proposition 26, we know that 

vap + ubq = Xq (mod n) 

and hence the random seed Xq is discovered, making decryption possible. 
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Since the intended recipient is the only one with knowledge of a, b, p, and q, she should 
be the only individual able to compute Xg. For without these values, it appears necessary to 
obtain Xq by computing the sequence x„ , X 2 , Xi by taking successive square roots mod- 
ulo n beginning with x,+i. As we have mentioned, this is an intractable problem without 
knowledge of the prime factors of n. 

Why is this called a “probabilistic” cipher? It has to do with the apparent “randomness” 
of successive squares modulo n. Note that encryption is done by taking successive squares 
modulo n, and “masking” (via 0) the h least significant bits of the ith square with the ith 
plaintext unit. This produces a ciphertext that appears random, in the same sense that squares 
modulo n appear random. That is, if we could examine a square modulo n and notice some 
pattern in its binary digits, we could use this information to help us find the square root 
modulo n. We know of no other way to find solutions to quadratic congruences modulo n 
without factoring n into its prime factors; thus, a square modulo n looks merely like random 
data. 


lixAMPLE. We will do an example of this type of encryption using small values for p and q\ 
in practice we would use primes hundreds of digits long. Say the recipient chooses two 
primes, p = 503, and q = 563. (Note that both p and q are congruent to 3 modulo 4). Using 
the extended Euclidean algorithm, she computes two values a and b such that ap + bq= 1. 
These are a = — 122, and b = 109. She computes n = pq = 503 ■ 563 = 283189, and makes 
public the value of n. 

Now suppose someone wishes to send the message (seen as a binary integer) 

P= 10011100001011111010 

to this recipient. He knows the value n = 283189, and so uses it to select a random square 
Xq = 258507 = 736^ (mod 283189). (The value 736 was chosen randomly.) Now, to block 
the message, he computes log 2 n = 18.11140570189, and so chooses k = 18. He then com- 
putes log 2 A: s 4.169925001442, and then chooses h = 4. (Note the recipient can also com- 
pute these values, so she also knows the appropriate block size.) He then splits the message 
up into 4 bit blocks, to get 

nil = 1001 
m2 = 1100 
m3 = 0010 

m4= nil 
= 1010 . 

Now he must compute the successive squares Xj, X 2 , X 3 , X 4 , Xj modulo n, and mask (via 
©) the h least significant bits of the ith square with the ith plaintext unit to get the ith cipher- 
text unit. We show this in Table 10.3. 

Finally, the sender must compute x^ = Xj^ = 67738 (mod n). He then sends to the recip- 
ient the ciphertext message 


C = (1000, 1101, 0001, 1010, 0100, 67738). 
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TABLE 10.3 



TABLE 10.4 



To decrypt the message, the recipient must retrieve the random seed that the sender chose. 
Then she can compute the same sequence of squares X 2 , x^,, x^, x^ and retrieve the plain- 
text hy ©-ing the 4 least significant hits of the squares with the ciphertext. She does this hy 
computing 

d ^ ((503 H- l)IAf ^ 302 (mod 502) 

e = ((563 H- \)IAf ^ 101 (mod 562) 

u = 67738^“ ^ 468 (mod 503) 

V = 67738^°‘ = 90 (mod 563). 

Finally, she obtains Xq, the Inr of vap + ubq modulo n. 

xo ^ 90 • -122 • 503 h- 468 • 109 • 563 ^ 258507 (mod 283189) 

For completeness. Table 10.4 shows the recovery process. 

_l Thus, the plaintext P = 1001 1100 0010 1111 1010 is regained. 

.7 WEAKNESSES OF THE BLUM-COLDWASSER PROBABILISTIC 
CIPHER 

This cipher can be broken if the following weaknesses are not dealt with. First, the primes 
must be chosen carefully; for example, we must avoid primes p for which the factorization 
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of p — 1 consists entirely of small factors. Also, as with Rabin, Blum-Goldwasser is vul- 
nerable to a chosen ciphertext attack. You should consider how such an attack may be posed. 


EXERCISES 

1. Use Rabin to encipher the following messages: 

a. TORPEDO AWAY 

b. FIRE AT WILL 

c. WILL GONE BELAY MY LAST 

Use p = 11027, q = 10859, and the ordinary alphabet. Use a tagging scheme for the sake 
of decryption. Block and pad as necessary, but do not use salt. Then decipher. 

2. Explain how Blum-Goldwasser probabilistic encryption is vulnerable to a chosen 
ciphertext attack. 

3. Write a Java program to execute a chosen ciphertext attack on Rabin. 

4. Write a Java program to execute a square root attack on an unsalted enciphered mes- 
sage sent to multiple recipients using the Rabin transformation. 

5. Write a rabinEncipherWCBC() method and a rabinDecipherWCBC() method for the 
Ciphers class. 

6. Write enciphering and deciphering methods for the Blum-Goldwasser cipher. 


CHAPTER 1 1 
Primality Testing 


Note that we are now using cryptosystems that require us to find and use large prime 
numbers. How do we find large prime numbers? Do we pick a large random odd inte- 
ger and try to factor it? No. Factoring takes a lot of time, and is not a good way of deter- 
mining whether or not an integer is prime. In fact, this is exactly what makes the Rabin 
cipher and others like it secure. If factoring the public key n was not extremely difficult, any- 
one could factor n and obtain the private key values p and q (the factors of n). You may have 
assumed that attempted factoring is the only way to determine whether or not a number is 
prime. It isn’t. We develop alternative methods to do this now. 

First recall Fermat’s Little Theorem (FLT): If p is prime and p -f a, a'’ ^ = 1 (mod p). (Note 
that the contrapositive of FLT says that if ^ 1 (mod p), p must be composite.) What about 
the converse of FLT? That is, if a'’ ' = 1 (mod p), can we conclude that p is prime? Sur- 
prisingly, this is often true. We can see this if we raise 2 to some integer powers, as shown 
in Table 11.1. 

It appears that when n is prime, we always get a value congruent to 1, and when n is 
composite, we get a value not congruent to 1. However, this doesn’t always hold. There are 
composite integers n for which 2”^^ = 1 (mod n). Take the composite number 341 = 1 1 ■ 3 1 . 
When we raise 2 to the 340 power, we get a least nonnegative residue of 1 modulo 341. (Ver- 
ify.) If the converse of FLT were true, we could conclude that 341 is prime; but it obviously 
isn’t, so the converse of FLT is not true. 

There isn’t anything special about the choice of 2 as our base, so we might want to sim- 
ply try another base. For example, we apply “Fermat’s test” on 341 using 3 as the base. We 
get 

3^'*“ ^56 (mod 341). 

This establishes immediately that 341 is composite. So, we might think we can get around 
the failure of Fermat’s test by just trying different bases modulo n until we either 

1 . Obtain a least nonnegative residue not equal to 1, and conclude that n is composite. 

2. Do not obtain a residue congruent to 1 modulo n after many tries with different bases, 

and conclude that n is probably prime since we can’t prove it isn’t using this test. 
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TABLE 11.1 





3 

22 = 1 (mod 3) 

Yes 

4 

23 = 0 (mod 4) 

No 

5 

24 = 1 (mod 5) 

Yes 

6 

25 = 2 (mod 6) 

No 

7 

26 = 1 (mod 7) 

Yes 

8 

27 = 0 (mod 8) 

No 

9 

28 = 4 (mod 9) 

No 

10 

29 = 2 (mod 10) 

No 

11 

210 = 1 (mod 11) 

Yes 


This isn’t a bad idea, actually, if it weren’t for the existence of Carmichael numbers; 
these are very rare composite integers that fool Fermat’s test for any base b relatively prime 
to n. The integer 561 = 3 ■ 11 • 17 is a Carmichael number, and we can prove it in this way: 
Take any base b relatively prime to 561; so (b, 3) = (b, 11) = (b, 17) = 1. FLT tells us then 
that b^ = I (mod 3), b^° = 1 (mod 11), and b^^ = 1 (mod 17). This tells us then that 

b560 ^ (.^2)280 ^ ^ 3)^ 

^560 ^ (.^ 10^56 ^ ^ 

^560 ^ (-^16)35 ^ ^ ^7^ 

Proposition 26 now implies that b^^° = 1 (mod 561) for any base b such that (b, 561) = 
1, and so 561 is a Carmichael number. 

Though Carmichael numbers are very rare (much rarer than primes), there are still infi- 
nitely many of them. However, we will not prove this. The fact that they exist at all is enough 
to avoid using Fermat’s test for primality, especially when we can develop better tests which 
Carmichael numbers cannot fool. An example of such a test is Miller’s test. Miller’s test is 
based on Fermat’s test, but carries it a bit further. In order to prove that it works, we will need 
the following, which you should easily be able to prove. 

PROPOSITION 34 Let p be prime, and suppose = 1 (mod p). Then x = 1 (mod p) 
or X = — 1 (mod p). 

Proposition 34 says the only square roots of 1 modulo a prime are 1 and — 1. This fact 
will be immensely helpful. Now we can discuss Miller’s test, which is based on proposition 
34. 
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11.1 MILLER'S TEST 


Definition (Miller’s Test.) 

Let n be a positive integer with n — 1 = 2T where s is a nonnegative integer, and t is an 
odd positive integer. We say that n passes Miller’s test for the hase b if either b' = I (mod 
n) or fo*' = — 1 (mod n) for some k = 2',0<j<s— 1 . 


Let’s discuss in detail how Miller’s test works. Suppose you are testing the integer n for 
primality, and obtain b"^^ = 1 (mod n). This doesn’t tell you if n is prime or not, so consider 
the quantity y = {n — l)/2, and evaluate x = ZT (mod n). If n is prime we must have x = I 
(mod n), or X = — 1 (mod n), since = x ■ x = (h*" = 1 (mod n) by Fer- 
mat’s Little Theorem, and Proposition 34 says the only square roots of 1 modulo a prime 
are 1 and — 1 . So, when we compute x we have the following cases to consider: 

1. X is congruent to neither 1 nor — 1 modulo n. In this case, x has a square root that is con- 
gruent to neither I nor — I ; hence n cannot be prime by Proposition 34 and so fails the 
test. 

2. X = — 1 (mod n). This case says that n may be prime. We can go no further with the test 
once we obtain a residue of — I, so we conclude that n passes the test. 

3. X = 1 (mod n) This also says that n may be prime, and furthermore we can continue to 
test n for primality in this way: 

a. If 2ly, divide y by 2 (again) and evaluate x = Zf (mod n). Then consider as before the 
three cases above. 

b. If y is not divisible by 2, the last value for x was congruent to 1 modulo n. We can go 
no further with the test, and conclude that n passes the test for primality. 

Note that the previous procedure must eventually terminate, since 

• we must eventually obtain a residue not equal to 1 , or 

• during each iteration we divide the value of y in half, and at some point y must fail to be 
divisible by 2. 

It should be clear to you that if you run a prime number through Miller’s test, it will 
pass. 

PROPOSITION 35 If n is prime and Z) is a positive integer such that « T Zi, then n passes 
Miller’s test for the base b. 

Proof. If n is prime in the algorithm described above, you must eventually 
1 . Obtain a value for x = — 1 (mod n), or 



216 Chapter 11 Primality Testing 


2. Fail to be able to divide y by 2 any further 

Either way, the prime n passes the test. At no point can you generate a square root of 1 
that is congruent to neither 1 nor — 1 modulo n, for this is demanded by Proposition 34. ■ 

HXAMPLES. 

1. Take the prime n = 29 and a base = 5; we will see that n passes Miller’s test. Start with 
the exponent y = (n — l)/2 = (29 — l)/2 = 14 and compute S''' = 1 (mod 29). So far, this 
is a pass; divide y by 2 to get y = 7 and compute 5’ = 28 = — 1 (mod 29). This is also a 
pass, and we can continue no further since we obtained a residue of — 1 . (Had we obtained 
a residue of 1 , we still could not have proceeded since y cannot be halved any further; 
regardless, n = 7 passes Miller’s test for the base 5.) 

2. Take the prime n = 251 , and the base b = 22, and note the progression of Miller’s test in 
Table 11.2. 

TABLE 11.2 


Exponent y 

22J'=?(mod 257) 

Conclusion 

128 

1 

Pass-continue 

64 

1 

Pass-continue 

32 

-1 

Pass-STOP 


3. We repeat the above test for n = 257, but using a different base b = 17. (See Table 11.3.) 

TABLE 11.3 


Exponent y 171'= ?(mod 257) 

Conclusion 

128 

1 

Pass-continue 

64 

1 

Pass-continue 

32 

1 

Pass-continue 

16 

-1 

Pass-STOP 


4. We repeat the test one more time for n = 257, but using a base b = A. (See Table 1 1 .4.) 

TABLE 11.4 


Exponent y 

4i'=?(mod 257) 

Conclusion 

128 

1 

Pass-continue 

64 

1 

Pass-continue 

32 

1 

Pass-continue 

16 

1 

Pass-continue 

8 

1 

Pass-continue 

4 

-1 

Pass-STOP 
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You are invited to verify the values obtained here. When an integer n fails Miller’s test, 
n is definitely composite, but if it passes, we still don’t know for sure whether or not it is 
prime. However, there exist no composite integers that can fool Miller’s test to every base 
b\ even Carmichael numbers must eventually fail Miller’s test for some base b. We will not 
prove this, but will state a proposition to this effect. The proposition actually says something 
much stronger; it puts an upper bound on the number of bases for which a composite inte- 
ger can fool Miller’s test. 


PROPOSITION 36 Suppose n is an odd, composite positive integer. Then n fails Miller’s 
test for at least 75 percent of the test bases b where \ <b<n — 1. 

For example, take the Carmichael number 561 ; it passes Fermat’s test, but fails Miller’s 
test for the base 2. (See Table 11.5.) 

The failure of Miller’s test establishes definitely that 561 is composite. Note that Propo- 
sition 36 says that there can be nothing akin to Carmichael numbers for Miller’s test. In 
fact. Proposition 36 allows us to establish a “probability” that an integer is prime. Suppose, 
for example, that we take a very large integer n and it passes Miller’s test for some base b 
between 1 and n — \. Since n can pass Miller’s test for at most 75 percent of such bases, 
there is no more than a 25 percent chance that n is composite, or equivalently, no less than 
a 75 percent chance that n is prime. 

.2 THE RABIN-MILLER TEST 

If we then repeat Miller’s test on n with different bases, we can either discover that n is 
composite, or force the probability that it is prime as close to 1 as desired. This is in fact what 
modern computers do when searching for large primes, and this particular method of find- 
ing “probable” primes is called the Rabin-Miller test. 

Succinctly: if an integer n passes Rabin-Miller for q different bases, then the probabil- 
ity that n is prime is no less than 1 — (1/4)®. It is important to note that the bases used for 
the Rabin-Miller test be chosen as randomly as possible. The study of pseudo-random num- 
ber generation is a broad topic of great interest to cryptographers; see Chapter 16 on cryp- 
tographic applications. 

Java Algorithm The Java Biginteger class provides a constructor to generate probable 
primes. The test used is different than Rabin-Miller as we have presented it; their version 
establishes after q passes that n is prime with probability 1 — (1/2)®. (Most likely, they are 


TABLE 11.5 
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using the Solovay-Strassen primality test, which uses what are called Jacobi symbols; there 
is no reason for us to learn it, since Rabin-Miller does just as well, and provides higher 
probability with fewer trials.) We will write a method called primeProbabilityO to perform 
Rabin-Miller ’s test on an integer n. It will return the probability that n is prime, given a cer- 
tain number of passes requested. If n fails any pass, primeProbabilityO will return 0. 

import java.math.BigInteger; 
import java . security . SecureRandom; 
public class BigIntegerMath { 

//. . . 

static final Biginteger TWO=new Biginteger (929) ; 

//. . . 

//Implements the Rabin-Miller test. 

//Number of different bases to try is passed in as an int 

//If the Biginteger passes all tests, returns the probability it is prime as a 
/ /double . 

//Returns zero if the Biginteger is determined to be composite, 
public static double primeProbability (Biginteger n,int numPasses) { 
if (numPasses<=0) throw new IllegalArgumentException 
("Number of bases must be positive!"); 

Biginteger b,x; 

SecureRandom sr=new SecureRandom ( ) ; 

Biginteger nMinusOne=n. subtract (ONE) ; 
for (int i=0 ; i<numPasses ; i++) { 

//Choose a random base smaller than n 
b=new Biginteger (n.bitLength ( ) -I,sr) ; 

//Check Fermat's condition first 
x=b .modPow (nMinusOne , n) ; 

if ( !x . equals (ONE) ) return 0.0; //not prime 
//Divide n-1 by 2 

Biginteger [] dr=nMinusOne . divideAndRemainder (TWO) ; 

//Perform the root tests 
while (dr [1] . equals (ZERO) ) { 
x=b .modPow (dr [0] ,n) ; 

//if you get -1, this is a PASS; get out 

if (x . equals (nMinusOne) ) break;//pass 

//Now, if its not -1 or 1, this is a FAIL, return 0 

if ( !x. equals (ONE) ) return 0.0; //not prime 

//If its 1, so far its a pass 

//We can continue with the test; divide by 2 

dr=dr[0] . divideAndRemainder (TWO) ; 


} 

//Only way to get here is by passing all tests 
return 1 . 0-Math.pow (0 . 25 , numPasses) ; 

} 

} 
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The applet called TestPrimeGeneratorApplet generates probable primes of a specified byte 
length. It generates random numbers of the requested length, and tests each for primality until 
one passes, using the number of tests specified. The screen shot in Figure 11.1 is of the 
applet generating a probable prime using Rabin-Miller. 

This particular prime is just a probable prime. It was not constructed to be a strong prime, 
or a safe prime, though it may be either purely by accident. See the chapters on quadratic 
ciphers (Chapter 10) and on exponential congruences (Chapter 13) for an explanation of the 
terms strong prime and safe prime. 

EXERCISES 

1 . Using the Rabin-Miller primality test, determine the probability that the integer is 
prime for each of the following numbers. Choose your own bases (as randomly as you 
can). You should be able to do the calculations without the aid of a computer. 



Prime Generator - Microsoft Internet Explorer 
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19 

3 

101 

5 

103 

4 

97 

3 


2. Repeat the previous exercise using these larger numbers. A program may be used. 




118691 3492875024326501 274951 491 498649 

10 

5239876572574765437612433386478252751 

15 

8843888351 2725438948586054071 951 0049 

20 

930940866280690607285036868096531589 

30 

899476440042092355083033089040210287 

33 


3. Test the following number for primality; use 5 different random bases: 

1358298529049385849277351428359266778603493846931744549748519669727813 

0927542418487205392083207560592298578262953847383475038725543234929971 

1555483428006287218857634994063903317828641441646807307668371605262231 

7651279843577212995655335528603220308038077575973232019898509488400406 

9116123084147875437183658467465148948790552744167567. 




CHAPTER 12 


Factorization Techniques 


The Rabin cipher, like some other modern ciphers, is believed secure because break- 
ing it seems to involve factoring a huge integer having two large prime factors. This 
certainly appears to be the case; finding large prime factors is an intractable problem. Hence, 
research into better factorization techniques is a very serious endeavor now, often involv- 
ing fair sums of money. 

Many factorization methods have been developed over the years, but unfortunately, they 
are not widely known to the public. In fact, it is likely that trial division is the only method 
of factoring most people will learn in their lives. 

Recall how the trial division method works; to factor an integer n, do trial divisions of n 
by integers between 2 and the square root of n. A factor, say d, of n is guaranteed to lie in 
this range by proposition 6. We can then take = nid, then continue to factor by look- 
ing for factors between 2 and the square root of Wj. We continue in this way, reducing the 
size of n by producing a smaller number to factor, at iteration i. We will eventually obtain 
the full factorization of n. The trial division method is quite simple, but is very inefficient 
when n has only large prime factors, since it may be necessary to try factors very near Vn. 
When n is very large, its square root is also very large; a loop passing through all the primes 
less than Vn could take virtually an eternity. However, it is important to note that when n does 
have small prime factors, this sequential search for factors is quite efficient, and often finds 
small factors well before an alternative factoring method would. 

We will cover a few alternative methods of factoring here; many are quite innovative, and 
the fact that they actually work may seem surprising to you. Though none of the methods 
covered here are nearly fast enough to break ciphers based on the factoring problem, inves- 
tigating them is undoubtedly worthwhile, for they may provide insight into even better fac- 
torization methods. 

12.1 FERMAT FACTORIZATION 

This method is named after Pierre de Fermat. Though it can be even more inefficient than 
the trial division method, it is valuable in that it provides you with an alternative view of 
factoring. 
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To see how it works, consider an odd positive integer n, and suppose that 

n = ab 

where a and b are integers. (Note that since n is odd, both a and b must be odd.) Now, note 
that we can write n as the difference of two squares 

n = f 

if we have 

^ = (fl + b)l2, and 
t=(a- b)I2. 

Note that both s and t are integers, since both a and b are odd. Similarly, if we have an 
odd positive integer n that is the difference of two squares, say 

2 2 

n=x — y 

then we can factor this integer into 

n = cd 

where 

c = {x + y), and 
d=(x — y). 

Thus, we can approach the problem of factoring an odd positive integer n by looking for 
squares whose difference is n, rather than looking directly for factors of n. That is, we look 
for integer solutions of the equation 

2 2 

n=x — y . 

We can do this by rewriting the previous equation in this way: 

=x^ — n. 

and search for perfect squares of the formx^ — n. We can do this sequentially; we start with 
m, the smallest integer greater than the square root of n, and look for perfect squares in the 
sequence 

— n,(m + 1)^ — n, {m + if' — n, .. . 

This search is guaranteed to end, since m will have to go no further than m = (n + l)/2, 
since: 

(in + \)l2f -« = ((«- \)l2f 

and all the terms are integers. To see that the previous equation is true, note that 
((« + l)l2f - ((« - l)/2)^ = irf + 2n+ l)/4 - (n^ - 2n + l)/4 = 4n/4 = n. 


(However, if we do go this far, note that we have only obtained the trivial factorization 
n = n ■ 1.) 
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I£xAMPLES. We will use Fermat factorization to factor the following integers: 

a) 3811. We begin with m = 62> 61.73 = V3811 and look for perfect squares in the sequence 

62^ - 3811 =3844 - 3811 =33 
63^ - 3811 =3969 - 3811 = 158 
64^ - 3811 = 4096 - 3811 = 285 
65^ - 3811 = 4225 - 3811 = 414 
66^ - 3811 =4356 - 3811 =545 
67^ - 3811 = 4489 - 3811 = 678 
68^ - 3811 = 4624 - 3811 = 813 
69^ - 3811 =4761 - 3811 =950 
70^ - 3811 = 4900 - 3811 = 1089 = 33^ 

Thus we obtain a factorization of 3811 by noting that 

3811 = 70^ - 33^ = (70 + 33)(70 - 33) = 103 ■ 37. 

b) 6077 

Begin with m = 78 > 77.95 = a/ 6077 and examine the sequence 

78^ - 6077 = 6084 - 6077 = 7 
79^ - 6077 = 6241 - 6077 = 164 
80^ - 6077 = 6400 - 6077 = 323 
81^ - 6077 = 6561 - 6077 = 484 = 22^ 

And we see that 6077 = 81^ - 22^ = (81 + 22)(81 - 22) = 103 • 59. 

c) 11 

Begin with m = 4 > 3.32 s a/ 1 1 and examine the sequence 

4^ - 11 = 16 - 11 =5 
5^ - 11 =25 - 11 = 14 
6^- 11 = 36 - 11 =25 = 5^ 

And here we obtain the trivial factorization 11 = 6^ — 5^ = (6 + 5)(6 — 5) = 11 • 1. 

□ 


Hopefully you can see how inefficient this method of factoring can be. It can be even 
worse than the trial division method, for trial division never has to test more than Vn inte- 
gers, but with the Fermat method it may be necessary to search as many as (n H- l)/2 — Vn 
integers before the procedure is guaranteed to terminate. As the integer n gets larger, the quan- 
tity (n -I- l)/2 — Vn becomes much larger than Vn. (See Table 12.1.) 

The Fermat factorization method is most efficient when the two factors of n, say 


n = ab = = (x + y){x — y) 
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101 

10.04987562 

40.95012438 

1001 

31 .63858404 

469.361416 

10001 

100.0049999 

4900.995 

100001 

316.2293472 

49684.77065 

1000001 

1000.0005 

499000.9995 

10000001 

3162.277818 

4996838.722 

100000001 

10000.00005 

49990001 

1000000001 

31622.77662 

499968378.2 

10000000001 

100000 

4999900001 


are close together (thereby making x and y close together). This keeps the search of the 
sequence 

— n, (m + 1)^ — n,{m + 7,'f' — 

relatively short. 

Java Algorithm To develop a method to extract factors of n using Fermat factorization, 
we need to be able to compute Vn. The Biginteger class contains no square root method, so 
we must write our own. We wish this method to return the largest integer whose square 
does not exceed n. To compute the integer square root of a positive number, we will approach 
the real root using a numerical algorithm known as Newton’s method. Suppose we wish to 
find the square root of n\ i.e., a solution to 

= n. 

We will do this by trying to find a root (or a zero) of the function 

/(x) =x^ - n. 

To use Newton’s method, we need the derivative of/(x), which, in this case is 

/'(x) = 2x. 

We begin with an initial guess for the root, say Tq. Suppose, for convenience, that this 
guess overestimates the true root. (See Figure 12.1.) We compute subsequent guesses by com- 
puting 

^=1,2,3,... 

These guesses approach a true root of/(x) rather quickly. If the root we seek is irrational, 
we truncate the result to produce the integer square root. I have written a sqrt() method and 
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placed it in the BigIntegerMath class. It makes use of the BigDecimal class, which allows 
us to compute with arbitrarily large numbers using arbitrary precision. 

public static Biginteger sqrt (Biginteger m) { 

//Uses the Newton method to find largest integer whose square does not exceed m 
//We search for a zero of f (x)=x^2-p ==> note that derivative f' (x) =2x 

int dif f=m. compareTo (ZERO) ; 

//Throw an exception for negative arguments 
if (diff<0) throw new IllegalArgumentException 

("Cannot compute square root of a negative integer!"); 

//Return 0 in case m is 0 

if (diff==0) return Biginteger .valueOf (0) ; 

BigDecimal two=new BigDecimal (TWO) ; 

//Convert the parameter to a BigDecimal 
BigDecimal n=new BigDecimal (m) ; 

//Begin with an initial guess-the square root will be half the size of m 
//Make a byte array at least that long, & set bits in the high order byte 
byte [] barray=new byte [m.bitLength ( ) /16+1] ; 
barray [0] = (byte) 255 ; 

//This is the first guess-it will be too high 
BigDecimal r=new BigDecimal (new Biginteger ( 1 , barray) ) ; 
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FIGURE 12.2 



//Next approximation is computed by taking r-f (r) /f ' (r) 
r=r . subtract (r .multiply (r) .subtract(n) .divide 
(r .multiply (two) , BigDecimal . ROUND_UP) ) ; 

//As long as our new approximation squared exceeds m, we continue to approximate 
while (r .multiply (r) . compareTo (n) >0) { 

r=r . subtract (r .multiply (r) . subtract (n) .divide 
(r .multiply (two) , BigDecimal . ROUND_UP) ) ; 

} 


} 


return r . toBigInteger ( ) ; //Method truncates any fractional part of a BigDecimal 



We will test the method with the following applet, TestSQRTApplet, from the hook’s 
wehsite. (See Figure 12.2.) 

Once we have this square root finding method, writing a program to find factors using 
Femat’s method should be simple. 


12.2 MONTE CARLO FACTORIZATION 

Another method of factoring was developed by J. M. Pollard, who called it the Monte Carlo 
method, due to the type of numbers generated in the method. Here we will not prove that 
this works; we will only describe the algorithm. 

Say n is composite, and that p is its smallest prime divisor. We wish to choose a sequence 
of integers, say mg, nii, m 2 , . . .,mi^ such that their Inr’s are distinct modulo n, but not all dis- 
tinct modulo p. Though we will not prove the following, this happens when 

• k is large compared to Vp, 

• k is small compared to Vn, and 

• the m, (where 0< i< k) are chosen randomly. 
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Suppose we generate a sequence of random integers as mentioned, and we come across 
a pair m^, such that 

(mod p) 
but 


niq ^ m,. (mod n). 

It follows then that the gcd of — nii. and «; that is, (m^ — m^, n), is a nontrivial divi- 
sor of n, since 

p\{m^ - m,) 
but 


n 'f {niq — m^). 

The question is, how quickly can we find such a pair of numbers? As mentioned earlier, 
this pair will surface relatively quickly if we generate the sequence randomly. We do this 
in the following way: 

• Start with an initial, randomly generated integer, mg- 

• Generate successive terms in the sequence by computing 

m, = + 1 (mod n), 0 < m,- < n 

This, of course, is not a random sequence, but it “appears to be,” and for our purposes it 
will suffice. (See the chapter on cryptographic applications.) Once we have generated m2, 
in the sequence, we check the greatest common divisor of m2, — m, and n; if we have 

(m2,' — m,', n) = d, \ <d <n, 

then, as we mentioned before, we have found a nontrivial divisor of n. 

Example. We will attempt to factor n = 356659679. Start with an initial value for nig, say 
1260345256, and proceed to generate numbers in the sequence. 

mi = 1260345256^ H- 1 ^ 72342499 (mod 356659679) 

m2 = 72342499^ H- 1 ^ 278250477 (mod 356659679) 

Now we can compute 

(m2 -mi, 356659679)=!. 

This fails to help us, so we continue to compute numbers in our sequence. 

m3 = 278250477^ -t- 1 ^ 66447814 (mod 356659679) 

m4 = 664478 14^ H- 1 ^ 333376938 (mod 356659679) 

Now we compute (m4 — m2, n), which again is 1 . This gives us nothing, so we continue 
to compute the next two values, and mg, then m-j and mg, and so on. We obtain a nontrivial 
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divisor when we compute (ntg — m^, n) = 359. A complete listing of these values can be seen 
in Table 12.2. 


TABLE 12.2 



□ 

I£xAMPLE. Let n = 72133. We apply the Monte Carlo method to obtain the values shown in 
Table 12.3. 


TABLE 12.3 



Q 
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I£x AMPLE. Let n = 9090909091. We apply the Monte Carlo method to obtain the values 
shown in Table 12.4. 


TABLE 12.4 



a 


HxAMPLE. Let n = 992387659879678689176986897665716567855813467857777. We 
apply the Monte Carlo method to obtain the values shown in Table 12.5. 


TABLE 12.5 



□ 

Java Algorithm The monteCarloFactor() method will be quite interesting to write. We 
will make an array of integers to hold the generated sequence, and compute gcd’s at every 
other iteration of the number-generating loop. The code to do this is elementary. (This 
method is in the BigIntegerMath class): 

//Monte Carlo factorization method returns a Monte Carlo factor. 

//An array holds a sequence of random numbers; must specify max 
//size of this array. 

//This puppy returns null if no factor is found. 

public static Biginteger monteCarloFactor (Biginteger n, int maxArraySize) 
throws IllegalArgumentException, ArrayIndexOutOfBoundsException { 
if (n. compareTo (THREE) <=0) 

throw new IllegalArgumentException ( "Number to factor must be > 3"); 

Biginteger [] m=new Biginteger [maxArraySize] ; 
m[0] =BigInteger .valueOf (new RandomO .nextint () ) ; 

Biginteger g; 

for (int i=l ; i<maxArraySize ; i++) { 

m [i] =m [i-1] . multiply (m [i-1] ) . add (ONE) .mod (n) ; 
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if (i%2==0) { 

g=m[i] .subtract (m[i/2] ) .gcd(n) ; 

if (g. compareTo (ONE) >0&&;g. compareTo (n) <0) return g; 

} 

} 

return null; 


This method is unsatisfactory for integers having truly “large” factors (say, greater than 
10'^). You can verify this by testing the method with numbers having factors of this size; 
the method starts to fail at around this point. Recall that the length of the sequence k should 
be large compared to V/?. In the previous case, k = 100000, and Vp = a/900383347 s 
30006.39, which is why the method succeeded in finding the factor. But for factors exceed- 
ing, say, k would need to be at least as high as 2^°, and will thus require storage space 
for around a million Bigintegers. This is already beginning to test the capacity of some 
machines, and factors of much larger size are common in modern cryptography. 

12.3 THE POLLARD p - 1 METHOD OF FACTORIZATION 

This method of factorization was also developed by J. M. Pollard. It can be effective in 
finding large factors p if the choice of p is such that the integer p — I consists of only small 
prime factors. This is certainly not unusual, and in fact is quite common. It may seem strange 
to you that the factorization of p — 1 can help us find the factor p, but it can. 

Suppose n is a large composite integer, and that n has a factor p such that {p — 1)IA:! for 
some k. Now, if the prime factorization of/? — 1 consists entirely of small prime factors, this 
number k will not be excessively large (and A:! will be computable). 

Now, by Fermat’s Little Theorem (FLT), we have 

2'’ ‘ = 1 (mod p) 

and since ip — 1)1^! for some integer k, we have k\ =(p — l)q for some integer q. This then 
yields 

= (2'^-'))'? ^ L = 1 (mod p). (FLT is used here.) 

This says that p\{2’^' — 1). Now, let Z be the least nonnegative residue of 2*' — 1 mod- 
ulo n. 

If n 4(2*' - 1) 

we have 

Z = (2*’ — 1) — ni, for some integer i. 

Note, now that p\Z, since it divides both 2*' — 1, and n. Thus, we see that a divisor of n 
can be found simply by computing (Z, n). Should Z and n not be relatively prime; that is, 
{Z, n) = d > 1, then <7 is a nontrivial factor of n. 

Note that if nl(2*' — 1), the p — \ method will fail, since then we would have Z = 0 
(mod n), and computing the gcd of Z and n would only yield the trivial factor n since (Z, n) 
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= (0, n) = n. It turns out that this is unlikely when n has large prime factors (we will not prove 
this), but should it happen, we can simply choose a base b other than 2 when computing b'‘' 
— 1 , and start over. 


ISxAMPLE. We will attempt to find a factor of n = 632887. (Note that 632887 = 769 • 823, 
and that 768 = 2* ■ 3, so that the smallest value of k for which 768IA:! is k= 10. (To see this, 
note that 10! = 10 • 9 • 8 • 7 ■ 6 ■ 5 ■ 4 • 3 • 2 ■ 1 = (2 • 5) ■ 9 ■ (2^) • 7 ■ (2 • 3) • 5 • (2^) • 3 
■ 2 ■ 1 = 4275 • 2*^ ■ 3 = 4275 • 768.) 

We start by choosing a random base, say b = 261482. We then proceed to compute the 
least nonnegative residue r, = b’' modulo n, for / = 1, 2, 3, . . . . When we have found a non- 
trivial gcd of (r,- — I, n), we have found a nontrivial divisor of n. 


a 


ri = 261482 (mod 632887) 

^ 155053 (mod 632887) 
rj = ^ 386889 (mod 632887) 

= rj'* ^ 181843 (mod 632887) 
rj = ^ 293940 (mod 632887) 

rg = rj® ^ 630444 (mod 632887) 
r-j = ^ 249467 (mod 632887) 


(rj - 1, «) = 1 
(rj - 1, «) = 1 

(r^ — 1 , «) = 1 

(rj - 1, «) = 1 
(rg - 1 ,m)= 1 
(r^ - l,n)= 1 


rg = r/ ^ 234544 (mod 632887) (rg - 1, n) = 1 
rg = ri ^ 422180 (mod 632887) {rg - 1, n) = 1 


rjg = rg^° ^ 582903 (mod 632887) - 1, n) = 769 

In the 10* step, we find that 769 is a nontrivial divisor of 632887, exactly as we expected, 
since 768 divides 101, but no smaller value of the factorial function. 


I£xAMPLE. Here we try to factor n = 559374799933 starting with the base b = 557566181343. 
The values have been placed in Table 12.6. 

This says a factor of 559374799933 is found; namely, 740279. Apparently, this also says 
559374799933 divides 23!, but no smaller value of the factorial function. 

□ 

Java Algorithm A method to extract factors using the p — \ method follows. It is also 
in the BigIntegerMath class. 

public static Biginteger pMinusOneFactor (Biginteger n) 
throws IllegalArgumentException { 
if (n. compareTo (THREE) <=0) 

throw new IllegalArgumentException ( "Integer must be larger than three!"); 
Random rand=new Random ( ) ; 

Biginteger power=BigInteger . valueOf (1) ; 
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TABLE 12.6 





1 

557566181343 

1 

2 

436541389360 

1 

3 

155204284985 

1 

4 

538254521186 

1 

5 

224074559848 

1 

6 

556398555479 

1 

7 

461773086408 

1 

8 

524373376099 

1 

9 

528286461332 

1 

10 

257084687919 

1 

11 

553469773152 

1 

12 

378473232758 

1 

13 

281899611802 

1 

14 

377823757725 

1 

15 

263895130902 

1 

16 

262689042015 

1 

17 

286305785793 

1 

18 

489134478513 

1 

19 

96491246483 

1 

20 

194503288400 

1 

21 

141727500886 

1 

22 

97401438906 

1 

23 

173399991845 

740279 




12.3 The Pollard p - 1 Method of Factorization 


233 


Biginteger residue=lnr (Biginteger . valueOf (rand. nextint ( ) ) ,n) ; 
Biginteger test=residue . subtract (ONE) ; 

Biginteger gcd=test .gcd (n) ; 
while (true) { 

while (gcd . equals (ONE) ) { 

power=power . add (ONE) ; 
residue=residue .modPow (power , n) ; 
test=residue . subtract (ONE) ; 
gcd=test.gcd(n) ; 

} 

if (gcd. equals (n) ) { 

power=BigInteger .valueOf (1); 

residue=lnr (Biginteger .valueOf (rand. nextint 0 ) ,n) ; 
test=residue . subtract (ONE) ; 
gcd=test .gcd (n) ; 

} else return gcd; 

} 


The Pollard p — I method can be used to break cryptosystems based on factoring num- 
bers having large prime factors if the primes are chosen carelessly. To prevent this method 
from factoring quickly, one must make sure that the choice of a prime p must be such that 
p — \ has at least one large prime factor. For example, consider the following prime: 

p= 160086307116559738155869925798757514626756457565007398646711114857005 
992922967078590696196618658161690735876437589642027120745407208793588072 
404971617007494843354135377095406066154855880767615610812537786121677226 
656934787295293329889991101773874178363226192550806087278026993983201987 
753863431668129069694725023374409414275815875828834913374670967078348380 
060934470394466978765779646756545675424549350157457563271478245865405680 
761395848801899028763255590217026083243137987131686080581096674871056010 
581499513879026589855942403498079792835159647491344925369568016515800543 
448680025803391561534522694855761493401748918989590240396787824784555716 
446448873404044136201133055019564546002121091038978073635688462008895936 
295056689750153498900363988015318027982295262581227520000000000000000000 
000000000000000000000000000000000000000000000000000000000000000000000000 
000001 . 



If you run the Pollard p — I method on a large integer having this prime /? as a factor, p 
will be found in only 399 iterations! Why? It turns out that this particular prime p = 399! H- 
1 . Though these primes are rare, there are many other primes q not specifically of this form 
such that q — I divides k\ for a relatively small value of k. To ensure this does not happen, 
we must choose such primes such that q — \ has a large prime factor, forcing k to also be 
large. 

I have written an applet (called TestFactor Applet), which demonstrates both the Monte 
Carlo method, and the Pollard p — I method of factorization. You enter an integer, then 
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FIGURE 12.3 


^ Factorization Demonstiation Applet • Microsatl folernel PxplorHr 


JnJicJ 


File Edit View Favorites Tools H ^ t »» Address 




Enter a positive integer to factor here; 


53024985702937850382347509823830568972365837365897365897683756892 
76589723689476982568976891 2681 6289461 289468975689347569861 2341 298 
4701 294782901 846891 2764897698521 561 1 1 


Find Monte Carlo Factor 


Find Pollard p-1 Factor 


46651 051 is a Monte Carlo factor of 

53024985702937850982347509823890568972365897365897365897689756892 
76589723G8947G9825G8976891 2G81 G2694G1 2894G8975G893475G98G1 2341 298 
4701 294782901 846891 2764837698521 56111 , 

jd 


press a button to find a factor. You may choose either method, and the applet is threaded so 
that you can search for a Monte Carlo factor and a Pollard p — I factor at the same time. 
(See Figure 12.3.) 


EXERCISES 

1. Write a fermatFactor() method and place it in the BigIntegerMath class. 

2. Write a trialDivisionFactor() method in the BigintegerMath class to work with Bigln- 
tegers. 

3. Write a test program to compare the performance of the factoring methods for numbers 
having factors of small, intermediate, and large sizes. How does the trial division method 
compare to the other methods when factors are small? 





CHAPTER 13 

Exponential Congruences 


This chapter involves solving congruences of the form 

a' = b (mod n) 


for X. If there is a solution for x, we call x a discrete logarithm modulo « of a to the base b, 
and we write 


When the modulus n is clear from the context, we often simply write 

X = logi,a. 

If p is a large prime, these congruences can be very difficult to solve; this is formally 
known as the discrete logarithm problem, or DLR To help us understand the nature of these 
problems, weTl need to do some development. As a review, recall Fermat’s Little Theo- 
rem: 

If p is prime, and b is an integer such that p ^ b, then 
1 ^ 1 (mod p). 

However, could b^ be congruent to 1 modulo p for some value z smaller than p — 1 ? We 
can see this is possible just from the following simple example: let p = 7, and examine the 
powers of each integer greater than 0 but less than 7. (See Table 13.1.) 

Note that the integers 2, 4, and 6 (and also 1, obviously), yield powers which are con- 
gruent to 1 modulo 7 for values smaller than 6. 
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TABLE 



13.1 ORDEROF AN INTEGER 


Definition 

Let n be a positive integer and b an integer. Then the least positive integer z for which 
= I (mod n) is called the order of b modulo n. We denote this as lhl„. If the modulus 
n is clear from the context, we simply write \b\. 


Examples. From the previous table, we see that 

I2I7 = 3, 13I7 = 6, I4I7 = 3, 15I7 = 6, and I6I7 = 2. 

Using this property, we can derive the following propositions: 

□ 

PROPOSITION 37 \fp is prime and b an integer such that p b, then 

a) the positive integer x is a solution to h' = 1 (mod p) iff \b\p divides x. 

b) \b\p divides p — 1. 

Proof. 

a) Suppose \b\ divides x; then x = k\b\ for some positive integer k. Thus, 
b^ = M'*' = {b''’'f ^ 1 (mod p). 

On the other hand, suppose = 1 (mod p). Then, if 
x = q\b\ + r Q<r<\b\ 
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we see that 

1/ = h?!'’'*'- = ^ ¥ (mod p). 

Now, since ¥ = \ (mod p), ¥ = 1 (mod p) also. But since 0 < r < \b\, we must have r = 
0 since \b\ is the least positive integer k such that b'‘ = 1 (mod p). Hence, \b\ divides x. 
b) (Exercise. Hint: use FLT and part (a).) ■ 

PROPOSITION 38 Suppose p is prime and b an integer such that p b. Then, if i and 
j are nonnegative integers, ¥ = ¥ (mod p) iff i = j (mod \b\p). 

Proof. Suppose i = j (mod \b\) and 0<j< i. Then i=j + k\b\ for some positive integer k. 
Thus, 

¥ = h'**^'*' = ¥(b'‘’'f ^ y (mod p). 

On the other hand, if b‘ = ¥ (mod p), where i > j, we have p -^ ¥ since p b. Then, note 
that since 

¥ ^ ^ y (mod p) 

we can divide this congruence by ¥ using proposition 2 1 to obtain 

y^^ = 1 (mod p). 

By proposition 27, we then know that \b\ divides i — j, or i = j (mod \b\). ■ 


.2 GENERATORS 


Definition 

An integer g such that the prime p does not divide g is called a generator modulo p if 

\8\p=P - 1 - 


lixAMPLE. Note from the previous example that 3 and 5 are generators modulo 7; 1, 2, 4, and 
6 are not. 

□ 


Most cryptosystems that depend on the difficulty of DLP use generators. Thus, we prove 
some important facts about generators. 

PROPOSITION 39 If g is a generator modulo p, then the sequence of integers g, g^, . . ., 
' is a permutation of 1, 2, . . . ., p — 1. 

Proof. To show this, we need only show that none of the p — I members of the former 
sequence are congruent to 0 modulo p, and that none are congruent to each other modulo 
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p. Note that since p g, p likewise does not divide for any positive integer k. So, none 
of the integers g, g^, . . . , g'’^^ are congruent to 0 modulo p. Now, suppose 

g‘ = gi (mod p) 

for some positive integers i and j, where 0 < i <j < p.By proposition 38, we then have i = 
j (mod Igl). But since i and j are both no greater than \g\=p — 1 (recall that g is a genera- 
tor), we must have i = j. Thus, no two members of g, g^, . . . , g^^^ are congruent modulo p, 
and so these integers must simply be a permutation of the positive integers not exceeding 

p-i. m 

It is important to be able to find generators, since the discrete logarithm problem is most 
intractable when generators are used as the base. Note that proposition 39 says that when 
we have = b (mod p) for prime p and generator g, the solution (when it exists) is unique, 
and, it turns out, harder to find. 

PROPOSITION 40 If \b\p = t and m is a positive integer, then 1^“!^ = tl{t, u). 

Proof. Let s = lh“l, v = (t, u), t = t'v for some integer t' , and u = u’v for some integer u' . 
By proposition 7 we have 

{t',u') = l. 

Thus, we have 

{b^y = (b^y^ = {bY = 1 (mod p) 
since \b\ = t. Then, by proposition 37, s\t' . But since 

{by = = 1 (mod p) 

we have t\us, which is equivalent to t'v\u'vs. Thus we derive the fact that t’\u’ s, and since f' 
and u' are relatively prime, we have t'\s by proposition 13. Now, since ilT, and since t'\s, 
we have 

m = s = t' = ti{t, u). ■ 

We will now prove that if a prime p has a generator, then it has many generators. This is 
important, since if there are too few generators (or none at all) to choose from when pick- 
ing a generator for a cipher, one may be hard (or impossible) to find. 

PROPOSITION 41 Let r be the number of positive integers not exceeding p — \ which 
are relatively prime to p — 1. Then, if the prime p has a generator, it has r of them. 

Proof. Let g be a generator modulo p. By proposition 40, we know that 

\g\ = \g\p/{u, \g\p) = (p-mu,p-i) 

for any positive integer m. Furthermore, from the previous equation, we can say that 
is a generator modulo p iff lg“lp = P ~ 1 iff m and p — I are relatively prime. ( ) 
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Now, from proposition 39 we know that the sequence 

g, ■ ■ . , g" ‘ 

is simply a permutation of 1, 2, . . . , p — 1 . Since there are exactly r integers in the first set 
that are relatively prime top — 1, there are exactly r integers in the former sequence of the 
form g‘ where i is relatively prime to p — 1. But, from the previous development (*), these 
are exactly the generators modulo p. ■ 

This tells us that when a prime has a generator, it has quite a few, since there are always 
many positive integers smaller than p which are relatively prime to p — 1 . 


I£xAIVIPLE. Consider the prime p = 101; since p — 1 = 100 = 2^ • 5^, any positive integer 
smaller than 100 not having a 2 or a 5 in its factorization will be relatively prime to 100. There 
are clearly many such integers. 


Note that proposition 41 does not tell us that every prime has a generator; it only says 
that if it has a generator, it has a certain number of them. We need this fact, but will not prove 
it. 

PROPOSITION 42 Every prime has a generator. 

Proposition 41 also says that if we find a generator g modulo p, we can find another by 
simply calculating the Inr of g' modulo p for some i relatively prime top — 1 . But how do 
we find a generator in the first place? This isn’t difficult to do in practice, since we will 
choose our primes carefully. For example, if prime p is such that p — \ consists entirely of 
small factors, such a prime p is susceptible to some discrete logarithm finding algorithms 
(like Pohlig-Hellman). If we choose p so that p — 1 has at least one large prime factor, we 
call it a safe prime. 

A solution is to choose primes of the form p = 2Rt + 1 where t is prime, and Ris a rela- 
tively small positive integer. We first select integers t at random, and subject them to pri- 
mality testing, until a particular value of t passes. We then select small values of R (say, < 
1 billion) at random and submit p = 2Rt+l to primality testing, until p passes with some value 
of R. Since R is small, it can be easily factored, and since p — 1 = 2Rt, the factorization of 
/7 — 1 is known. Thus, we present a method of finding generators. 

.3 GENERATOR SELECTION 

Suppose p is prime, and pi‘^i ■ p 2 ^ ■ is the prime factorization ofp— 1. To find a 

generator g modulo p, do the following: 

1. Choose a random integer x between 2 and p — 2. 

2. For i = 1 to n do 


a) Compute z = plpi 
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b) Calculate the Inr of modulo p. If the least nonnegative residue is 1 modulo p, x is 
not a generator. Return to step 1 . 

3. X is a generator modulo p. 


HxAMPLE. Here we generate a safe prime /?, and then a generator for p. This will be simple 
because we will know the factorization ofp— 1 hy our method of construction. We begin 
by finding a large random prime t. 

t= 106134897172928103943918854073295879814210153054070185316305605667648 
115167285318268319586681005150020607472483671576748374031351891166746019 
54897381 84672821 1 246036708099048606601439297700504038644255829445960865 8 
668158933760001311189926258441385295561653708006547249455162460344775949 
000288933247779568497479. 

We will now search for the first prime of the form 2rt + 1, where r begins with the value 
1 , and increments by 1 for each iteration. It turns out that this happens when r reaches the 
value 362, and the target safe prime p is 

p= 768416655531999472553972503490662169854881508111468141690052585033772 
353811145704262633807570477286149198100781782215658227986987692047241181 
534570445703122494213057666371119117944205153516492397844122051887566688 
75747068042240949301506611 1 115629539866372845967402086055376212896177870 
76209 187671 392407592 1 74797. 

(You may wish to verify that p is, indeed, 2 • 362 • t + 1, and is prime.) Since r = 362 is a 
relatively small integer, it can be easily factored. The prime factorization of r is; 

r = 362 = 2 • 181 

Now we generate another random integer x between 2 and p — 2. Let us choose x = 2. 
We test if X is a generator by raising it to all of the following powers modulo p\ 

jf-ip-m = 

768416655531999472553972503490662169854881508111468141690052585033772353 
811145704262633807570477286149198100781782215658227986987692047241181534 
570445703 1 224942 1 305766637 11191 17944205 15351 6492397844 1 2205 1 887566688757 
47068042240949301 5066 11111 56295398663728459674020860553762 128961 77870762 
09187671392407592174796 (mod p) 

759610078033092819549168009542029758562732552302229095079700578685006509 
781787175350810699575676555672711591634685786263572318673572188350335378 
422741882791298343532264353436668160520311489609485712535342907357206171 
457774990867629982901232534301789080080079058523455688622892974408888364 
96564879035543972034961 (mod p) 
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^{p-m = 

8825043620963179677965965 1 3 18894620729729809745361797646356310339459 1 82 1 
987874531220585600311009374053405582968213748930663530270586997171133297 
840152170658259623778588348787678947522653969852413674174837135790739292 
16 (mod p). 

None of these yield a residue of 1, so we conclude 2 is a generator of this safe prime p. 

□ 

Java Algorithm In my PrimeGenerator class, there is a method called getSafePrime- 
AndGeneratorO, which finds a safe prime p and a corresponding generator. There is also a 
method called getSafePrime(), which finds and returns a safe prime but does not find a gen- 
erator for it. 

import java. security ; 
import j ava . math . * ; 
import j ava . ut i 1 . * ; 
public class PrimeGenerator { 

int minBitLength; 
int certainty; 

SecureRandom sr.- 

public PrimeGenerator ( int minBitLength, int certainty, SecureRandom sr) { 

//The bit length of the prime will exceed minBitLength 
if (minBitLength<512 ) throw new IllegalArgumentException 
("Strong/Safe primes must be at least 64 bytes long."); 
this. minBi tLength=minBit Length ; 
this . certainty=certainty ; 
this . sr=sr ; 

} 

//This method returns a safe prime of form 2rt+l where t is a large prime, 

//and the factorization of r is known 

//It also returns a generator for the safe prime 

//The zero-th slot in the resulting array is the safe prime 

//Slot 1 of the result is the generator 

public Biglnteger[] getSaf ePrimeAndGenerator ( ) { 

Biglnteger[] p=new Biginteger [2 ] ; 

Biginteger r=BigInteger . valueOf ( OxVf f f f f f f ) ; 

Biginteger t=new Biginteger (minBitLength-30 , certainty , sr) ; 

//p is the first prime in the sequence 2rt+l, 2*2rt+l, 2*3rt+l, . . . 
do { 

r=r .add(BiglntegerMath.ONE) ; 

p [0] =BigIntegerMath. TWO. multiply (r) .multiply(t) . add (BigIntegerMath . ONE) ; 
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} while ( !p [0] . isProbablePrime (certainty) ) ; 

//We must get the prime factors of p-l=2rt 

//Put the prime factors in a Vector-iist each prime factor oniy once 
Vector factors=new Vector {) ; 

//Add t to the vector, since t is a prime factor of p-l=2rt 
factors . addElement (t ) ; 

//We know 2 is a factor of p-l=2rt, so add 2 to the Vector 
factors . addElement (Biglnteger .valueOf (2 ) ) ; 

//r may be prime-don' t factor it if you don't have to 
if (r . isProbablePrime ( 10 ) ) factors . addElement (r) ; 

//otherwise, find the factors of r and add them to the Vector 
else { 

//Divide all the 2's out of r, since 2 is already in the Vector 
while (r .mod (BigIntegerMath. TWO) . equals (BigIntegerMath. ZERO) ) { 
r=r .divide (BiglntegerMath.TWO) ; 

} 

//We now get the prime factors of r, which should be small enough to 
//factor 

//Start with 3 - 2 is already in the Vector 
Biglnteger divisor=BigInteger .valueOf (3 ) ; 

//Do not search for factors past the square root of r 
//Square the divisor for comparison to r 
Biglnteger square=divisor .multiply (divisor) ; 
while (square . compareTo (r) <=0) { 

//If this divisor divides r, add it to the Vector 
if (r .mod (divisor ). equals (BigIntegerMath. ZERO) ) { 
factors . addElement (divisor) ; 

//Divide r by this divisor until it no longer divides 
while (r. mod (divisor) . equals (BigIntegerMath. ZERO) ) 
r=r . divide (divisor) ; 

} 

divisor=divisor . add (BigIntegerMath . ONE) ; 

//Do not search for factors past the square root of r 
//Square the divisor for comparison to r 
square=divisor .multiply (divisor) ; 

} 


} 
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//Now, start looking for a generator 
boolean isGenerator ; 

Biginteger pMinusOne=p [0] . subtract (BigIntegerMath. ONE) ; 

Biginteger x,z,lnr; 
do { 

//Start by assuming the test # is a generator 
isGenerator=true; 

//Pick a random integer x smaller than the safe prime p 
x=new Biginteger (p [0] .bitLength ( ) -1 , sr) ; 
for (int i=0 ; i<factors . size ( ) ; i++) { 

//Compute z as p-1 divided by the i-th prime factor in the Vector 
z=pMinusOne . divide { (Biginteger ) factors . elementAt ( i ) ) ; 

//Raise X to the z power modulo p 
lnr=x . modPow ( z , p [ 0 ] ) ; 

//If this equals 1, x is not a generator 
if ( Inr . equals (BigIntegerMath . ONE) ) { 

isGenerator=false; 

//break-no reason to try the other prime factors for this failed x 
break ; 

} 

} 

//While X is not a generator, go back and pick another random x 
} while (! isGenerator) ; 

//If we get here, we found a generator-set it and return it 

p[l]=x; 

return p; 

} 

//getSafePrime ( ) is identical to this, but does not search for a generator. 


} 



The TestPrimeGeneratorApplet class allows us to retrieve safe primes. Here is a shot of 
it, displaying a safe prime and its generator. (See Figure 13.1.) 


13.4 CALCULATING DISCRETE LOGARITHMS 

There are a variety of discrete log finding algorithms known; however, none of them are fast 
enough to break the cryptosystems based on DLR However, those implementing such ciphers 
should take care that the primes they use do not have certain weaknesses, which some of these 
algorithms exploit. 
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FIGURE 13.1 



Exhaustive Search for Discrete Logs The most obvious solution to finding a dis- 
crete logarithm (and by far the slowest) is to search by taking successive powers. For exam- 
ple, to solve 

= z (mod n) 0 <z<n 

forx, we simply calculate the Inr’s of the sequence 

b, b^, b\... 


until we derive z- 

CBxAMPLE. Suppose we wish to solve the congruence 

25T ^ 369 (mod 1009) 

for X. We calculate the successive powers until we obtain a least nonnegative residue of 369 
modulo 1009. (See Table 13.2.) 

(The successive powers of 257^ go across from left to right.) There are 10 columns in the 
table; the last entry (369) is the 104* entry, so 

257'“ ^ 369 (mod 1009). 
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Column 



1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

1 

257 

464 

186 

379 

539 

290 

873 

363 

463 

938 

2 

924 

353 

920 

334 

73 

599 

575 

461 

424 

1005 

3 

990 

162 

265 

502 

871 

858 

544 

566 

166 

284 

4 

340 

606 

356 

682 

717 

631 

727 

174 

322 

16 

5 

76 

361 

958 

10 

552 

604 

851 

763 

345 

882 

6 

658 

603 

594 

299 

159 

503 

119 

313 

730 

945 

7 

705 

574 

204 

969 

819 

611 

632 

984 

638 

508 

8 

395 

615 

651 

822 

373 

6 

533 

766 

107 

256 

9 

207 

731 

193 

160 

760 

583 

499 

100 

475 

995 

10 

438 

567 

423 

748 

526 

985 

895 

972 

581 

994 

11 

181 

103 

237 

369 








This example alone should suggest to you that exhaustive search is obviously not the 
way we want to go about finding discrete logs. However, an exhaustive search may be 
worthwhile if the base is an integer of low order modulo n. 

□ 

Java Algorithm I have written a method to calculate discrete logs using exhaustive 
search. The code is in the BigIntegerMath class; 

public static Biginteger logExhaustiveSearch 
(Biginteger base, Biginteger residue, Biginteger modulus) { 

//This aigorithm solves base^'x = residue (mod modulus) for x using exhaustive 
//search 

Biginteger basePow=Biglnteger . valueOf ( 1 ) ; 

Biginteger j ; 

for ( j=BigInteger .valueOf (1) ; j . compareTo (modulus ) <0 ; j =j .add(ONE) ) { 

basePow=basePow. multiply (base) .mod (modulus) ; 
if (basePow. equals (residue) ) break; 

} 

if ( j . equals (moduius) ) throw new NoSuchElementExcept ion ( "No solution"); 
return j ; 


246 Chapter 1 3 Exponential Congruences 


Baby-step Giant-step Algorithm The next algorithm is an improvement of exhaus- 
tive search in that it doesn’t cycle through all exponents. It is based on the fact that if m is 
the smallest integer no less than Vn, where n is the modulus, and 

cf = b (mod n) 

we can write 


X = im + j 

where 0 < i and j < m. This yields 

rT = a"" ■ o', 

implying that 

b{{a”')')' = a! (mod n), 

where (a'")' is an inverse of a"' modulo n (if this inverse exists). The baby-step giant-step 
algorithm exploits this: The algorithm finds a discrete log (if one exists) of 

a‘ = b (mod n) 

1. Let b be an integer between 1 and n — 1 . 

2. Let m be the smallest integer no less than 

3. Make a table whose entries are (j, g') fory = 0, 1, 2, . . ., m — 1. The entries for g-' should 
be the least nonnegative residues modulo n. 

Compute ig'")', an inverse of g"‘ modulo n. (Of course, this assumes g"' is invertible 
modulo «; if not, this method will fail. Of course, if the modulus is prime, this will not 
be a problem.) 

5. Sety = b. 

6. For i from 0 to m — 1 do: 

• Search the second components in the table for a g' such that g' = y for some index j. 

• If such an entry is found, compute and return x = im+ j. 

• If no such entry is found, set y equal to the Inr of yig"')'. 

This algorithm will usually be superior in running time to exhaustive search because it 
only checks a maximum of m = ^n exponents (whereas exhaustive search may cycle through 
n exponents). However, the table required can be quite large, obviously, if n is very large. 
Also, the method we use to search the table is important. A sequential search is out of the 
question, and a binary search on a sorted table will also be time-consuming; a much prefer- 
able alternative is to use a hash table. 

-Example. We’ll use baby-step giant-step to solve the congruence 

43' ^ 140 (mod 307). 

(Note 43 is a generator modulo the prime 307.) First, since V307 s 17.5214, we’ll set m = 
18. Hence, Table 13.3 will have 18 entries: 
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TABLE 13.3 



(We will not sort the table by second component; we will assume that an efficient method 
is being used to search the table.) Now, we must compute an inverse of 43'* modulo 307: 

(43'*)' ^ 299' ^ 115 (mod 307). 

We now set y = 140, and begin the loop. We show the iterations in the following table. 
At each iteration y is set equal to the Inr of its old value times 115 modulo 307. (See Table 
13.4.) 

We now compute and return the value of x = 4(18) + 15 = 87. You should check that 
indeed. 


a 


43*’ ^ 140 (mod 307). 



248 Chapter 1 3 Exponential Congruences 


TABLE 13.4 


Java Algorithm The BigIntegerMath class also contains a method to compute discrete 
logs using haby-step giant-step. The code follows: 

public static Biginteger logBabyStepGiantStep 
(Biginteger base, Biginteger residue, Biginteger modulus) { 

//This algorithm solves base^x = residue (mod modulus) for x using baby step 
//giant step 

Biginteger m=sqrt (modulus ) .add(ONE) ; 

//Use a hash table to store the entries-use Java Hashtable class 
Hashtable h=new Hashtable ( ) ; 

Biginteger basePow=BigInteger .valueOf (1) ; 

//Build the hash table base^'j is the key, index j is the value 
for (Biginteger j =BigInteger . valueOf ( 0 ) ; j . compareTo (m) <0 ; j = j . add (ONE) ) { 

h.put (basePow, j ) ; 

basePow=basePow. multiply (base) .mod(modulus) ; 

} 

//Compute an inverse of base^m modulo p 

Biginteger basetotheminv=base .modPow (m, modulus) .modinverse (modulus) ; 

Biginteger y=new Biginteger (residue . toByteArray ()) ; 

//Search the hashtable for a base^j such that y=base''j for some j 
Biginteger target; 

for (Biginteger i=BigInteger .valueOf ( 0 ); i . compareTo (m) <0 ; i=i . add (ONE) ) { 

target = (Biglnteger)h.get (y) ; 

if (target ! =null) return i.multiply(m).add(target); 
y=y .multiply (basetotheminv) .mod (modulus) ; 

} 

throw new NoSuchElementException ( "No solution"); 

I have written TestDiscreteLogApplet to test these log finding methods. It can be run 
from the book’s website. Figures 13.2 and 13.3 show two screen shots. 
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FIGURE 13.2 



FIGURE 13.3 


Discrete Logarithm Solver - Microsoft Internet Exploit. 

1 

J File Edit View Favorites ”| 

J ^ B ack - ” 

I Address 

■ 

1123454321 


3 


to the X power is congruent to 
308536306 

modulo 

1122334455 

j Solve for x using baby step giant step 

Solve for x using exhaustive search 

11111 

J 



Pohlig-Hellman Algorithm for Discrete Logs The Pohlig-Hellman algorithm 
is only effective when a prime modulus p is such that p — \ consists entirely of small fac- 
tors. But in this case, it is very effective. Consider the prime p, and let the prime factoriza- 
tion of p — 1 be given by 


P - 1 =Pi"' ■ ■■■ -Pn"- 
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Let g be a generator modulo p, and suppose we wish to solve 

= b (mod p) 

for X. To do this, we will first determine each residue x, such that 

X = X; (mod pi‘) V i. 

To compute each of these residues, we will compute the digits of each x, in terms of its 
Pr^ry representation; that is, we will construct each x, as a base p, number: 

Xi = d ,- 1 • p/' ' + 4,-2 ■ pr^ + . . . + d2- p^ + di- Pi + do- C) 

Once we have determined each x,, we have a system 

X = Xi (mod Pi'^l) 

X = X2 (mod P2''2) 


X = x„ (mod p„‘n) 

which we can then solve for x = log^h using the Chinese Remainder Theorem (notice the 
moduli are pairwise relatively prime). The trick, of course, is to obtain the representation 
given by (*); this is described in the following algorithm. 

Suppose p, g, and the prime factorization of p — 1 are as described previously. We wish 
to find X = loggpb: 

1. For i = 1 to n do: 

(a) Let q = p„ e = Cj, c = 1, and d^i = 0. 

(b) Compute g* = 

(c) For A: = 0 to e — 1 do: 

I. Set c = cg‘‘k - ‘ 

II. Set b* = (where c' is an inverse of c modulo p) 

III. Compute di, = log^.h* 

(d) Let Xi = de-i ■ + de -2 ' q" ^ + . . . + d 2 ■ q^ + di ■ q + d^ 

2. Use CRT to compute a simultaneous solution x to the system 

X = Xi (mod p{') 

X = X 2 (mod p 2 ^) 


x = x„(modp/«) 
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One step may require clarification; namely, step l.(a).III: How do we know that 

4 = 

is indeed the Ath digit in the p-siry representation of xf! Note first that if ^ = pi and e = e, 
as in the algorithm, we have \g\ = q. During the Ath loop of step l.(a).III, we have 

C jt-i+.+ifiij+iio 

and so 


b*={blcf**^ 

= ‘‘k — D*' * - d-^q-daylqk*! 

= h' ''A - (switch order of exponents) 

_ ^^nlqk+\yl^ + ■ - - + d^k 

= - D'-' * * • • ■ * 4 (divide and multiply by ^') 

= (g*)''* (since lg*l = q) 

Thus, we indeed have = log^ b* . 

Note that in order for us to compute a logarithm with Pohlig-Hellman, we need to know 
the prime factorization ofp — 1, and to compute other logarithms (specifically, step l.(c).III.). 
We must use another algorithm to compute these logs; for example, baby-step giant-step. 
If one of the factors of p — 1 is large, then computing this “sublogarithm” is also an 
intractable problem. 

Admittedly, the notation in this algorithm looks virtually labyrinthine; however (as usual), 
an example will show how straightforward it really is. We will use small parameters. 


Example. Let the prime p = 41. We can easily obtain the prime power factorization of 

P-1-. 

p - 1 = 40 = 2^ ■ 5 

We want to find log64i5; that is, the solution to 6^ = 5 (mod 41). 

To do this, we must compute each of the following: 

1 . Xi = X (mod 2^) Xi= do + d{l + d 22 ^ 

2 . X2 = X (mod 5) — > Xj = 4 

We begin with Xj : 


g* = ^ 40 (mod 41). 
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Let c = 1 and compute b* = (5 ■ = 1 (mod 41). 

Compute do = log 4 ol = 2 (by using, for example, baby-step giant-step). 

Now, let c = 1 ■ 6^ = 36 (mod 41) and compute b* = {5 ■ 36')"'®'' = 1 (mod 41). 
Compute di = log 4 ol = 2 (by using, for example, baby-step giant-step). 

Now, let c = 1 • 6*'^ = 36 (mod 41) and compute b* = (5 ■ 36')"^°^* = 1 (mod 41). 
Compute ^2 = log 4 ol = 2 (by using, for example, baby-step giant-step). 

This yields 

Xi = 2 H- 2 • 2 H- 2 ■ 2^ = 14. 

Now, to compute X 2 . 

= ^ 10 (mod 41) 

Let c = 1 and compute b* = (5 ■ 1')“*°^^ = 18 (mod 41). 

Compute do = logjglS = 2 (by using, for example, baby-step giant-step). 

This immediately yields 

X2 = 2. 

Thus, we seek a solution to the system of congruences 

14^6 (mod 2^) 
x = 2 (mod 5). 

By using the Chinese Remainder Theorem, we derive the solution 

X = 22 (mod 40). 

Thus, logg 4 i 5 = 22. (Verify!) 


Now, to the index-calculus algorithm. But before we describe it, we should cover some 
properties which discrete logarithms possess; they are very similar to properties of logarithms 
of real numbers. 

PROPOSITION 43 Let p be prime, and let g be a generator modulo p. Suppose a and b 
are positive integers not divisible by p. Then we have all of the following: 

a) logl = 0 (mod p — 1) 

b) log(a^7) = logo + \ogb (mod p — 1) 

c) log(a*) = k ■ logo (mod p — 1) 

where all logarithms are to the base g modulo p. 
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Proof. 

a) From FLT, we have g'’ ' = 1 (mod p). Since g is a generator modulo p, no smaller power 
of g is congruent to 1 modulo p, and thus logl =p — 1=0 (mod p — 1). 

b) Note that from the definition of discrete logarithms, 

^log(a6) = (mod p), 

and 


^log«.logfe ^ ^loga . ^logfi ^ 


Thus, 

g\og(ab)^ g\oga.logh (modp), 

and by using proposition 38, we conclude that 

\og{ab) = logo + \ogb (mod p- 1) 

c) Exercise. ■ 


I£xAMPLES. Take the prime p = 13, and note that 2 is a generator modulo 13 (this is easily 
checked). Note that since 2° = 2'^ = 1 (mod 13) by FLT, we have 

log 2 [ 3 I =12 = 0 (mod 12 ). 

Also, note that 

log2,13l2 = 6 , 
log 2 ,i 39 = 8 , and 

log 2 ,i 3(9 • 12) = Iog2,i3(108) = log 2 ,i 3 ( 4 ) = 2. 

(Since 108 = 4 modulo 13.) 

This gives us 

log 2 .i 3(9 • 12 ) = 2 = 6 + 8 = log 2 ,i 3 l 2 + log 2 ,i 39 (mod 12 ). 

Also, note that 

10 ■ log 2 ,i 3 l 2 = 10 -6 = 60, 

and 

log2,i3l2'“ = log2,i361917364224 = log2,i3l = 12. 

(Since 61917364224 ^ 1 modulo 13.) 

This yields 

log 2 ,i 3 l 2 “’ = 12 = 0 ^ 60 = log 2 ,i 3 l 2 *° (mod 12 ). 

□ 
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Index-Calculus Algorithm An optimized variant of this algorithm is the fastest 
known algorithm to date for computing discrete logarithms to the base g modulo a prime p, 
where g is a generator. 

To compute logg pb where = b (mod p) using the index-calculus algorithm: 

1. Select from the numbers 2, 3, — 2, a subset of the first t primes S = {pi, p 2 , ■ ■ ■ , 

p,} such that “many” of the elements g‘ where \ <i<p — 1 can be written as a product 
of elements from S. 

2. Select a random integer j such that 0 <j < p — 2 and compute the Inr of g' modulo p. 

3. Attempt to write g' as a product of elements from S: 

g^=Pi^-P 2 ^- c,>0Vi. 

If this is not successful, return to step 2; otherwise, continue. 

4. Take the logarithm modulo p of both sides to produce a congruence; 

j ■ log(g) = y = Cl • logipi) + C 2 ■ logipz) + . . . + c, • logip,) (mod/? - 1). 

(Simplify using the properties of discrete logarithms, as shown.) 

5. Repeat steps 2 through 4 to make a system of at least f such congruences. Attempt to 
find a unique solution for each logarithm by solving the system. If the system is linearly 
dependent, go back to step 2 and generate new congruences to replace those that are lin- 
early dependent on the others. 

6. Select a random integer k such that 0 < k< p — 2, and compute the Inr of b ■ g*^ modulo 
P- 

1. Attempt to write h ■ as a product of elements from S\ 

b ■ g'‘ = • P2‘^^ • . . . ■ pf', df > 0 Vi. 

If this attempt is not successful, return to step 6; otherwise, continue. 

8. Take the logarithm to the base g of both sides; this yields 

log(b ■ g*) 

= log(i?) H- k ■ log(.g) 

= \og(b) + k 

= di ■ log(/?i) H- d 2 ■ log(/? 2 ) + .. .+d,- log(/?,) (mod/? - 1). 
which we then solve for \ogg pb'. 

log(h) = <ii • log(/?i) H- d 2 ■ log(/? 2 ) + . ..+d,' \og{p,) - k (mod/? - 1). 


Z^XAMPLE. We will use the index-calculus algorithm to find a solution to 6^ = 57 (mod 
107). Note that 107 is prime, and that 6 is a generator modulo 107 (verify). So, the parameters 
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are p = 107, g = 6, and b = 57. We will choose 5 = {2, 3, 5, 7}. Now, we generate some ran- 
dom integers, and attempt to write powers of g = 6 as products of elements from S. 

Inr of 6^ modulo 107: 42 = 2 • 3 ■ 7 

Inr of 6® modulo 107: 4 = 2^ 

Inr of 6^^ modulo 107: 15 = 3-5 

Inr of 6^^ modulo 107: 90 = 2 • 3^ • 5 

By taking the logarithm base 6 modulo 107 of both sides, and using the properties of dis- 
crete logarithms (from proposition 43), we get the following system of congruences: 

24 = log2 -H log3 + log7 (mod 106) 

6 = 2- log2 (mod 106) 

33 = log3 -H log5 (mod 106) 

34 = log2 -H 2 • log3 -H log5 (mod 106) 

To solve this system, we need to reduce the following matrix to row echelon form using 
an analogue of Gauss-Jordan elimination for matrices representing congruences. 


1 

1 

0 

1 

24 

1 

0 

0 

0 

6 

0 

1 

1 

0 

33 

1 

2 

1 

0 

34 


When this is done, we achieve this reduced matrix. (Verify.) 


1 

0 

0 

0 

3 

0 

1 

0 

0 

104 

0 

0 

1 

0 

35 

0 

0 

0 

1 

23 


Thus, we have 

log62 = 3 
loggS = 104 
log65 = 35 
logj = 23 

Now, we try to evaluate logg io757 (the purpose of all this work, remember?). First, we 
pick a random integer k = 38, and try to write • g*' as a product of members of S. It turns 
out that we can: 


Inr of 57 • 6^* modulo 107 = 35 = 5 • 7. 
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Taking the logarithm base 6 of both sides, and by using the properties of discrete loga- 
rithms, we get 


log57 H- 38 = logS + log? 

= 35 H- 23 
= 58 (mod 106). 


Thus, we obtain our final result. 


log6,i0757 = 58 - 38 = 20. (Verify!) 


a 


Some parts of this algorithm are not clear; for instance, how many primes t should be in 
the set SI The answer is not clear, since it depends on the abilities of the computing device. 
If f is too large, the corresponding system of congruences may take up too much memory, 
and take too long to solve. On the other hand, if t is too small, it will be harder to find ele- 
ments which can be written as a product of members of S; the search for these elements 
could take too long. This type of time-memory tradeoff always depends on the hardware 
being used; thus, we leave this part of the algorithm unspecified. 

Another part of the algorithm that is unclear is when it directs one to “attempt to write 
the element as a product of members from S.” If we are using the first f primes, we can do 
this by simply taking the prime factorization of the element (say E), and checking if each 
factor of E is in the set S. However, if £ is a large prime, or is composite but is difficult to 
factor because it has large prime factors, the time to do this could be prohibitive. Thus, we 
should probably submit £ to a primality test; if it turns out to be a probable prime, we should 
reject £ and choose another random integer. Otherwise, we can try to factor £, but enforce 
some time limit to do this. 

Many of these decisions for the index-calculus algorithm are heavily dependent on the 
hardware, and the software, such as the implementation of large integer arithmetic. Thus, 
the decisions on how to implement the index-calculus algorithm are often made based on 
experimentation. 


EXERCISES 

1. Prove part (b) of proposition 37. 

2. Write a logPohligHellman() method in the BigIntegerMath class to compute discrete 
logs using the Pohlig-Hellman algorithm. 

3. Prove part (c) of proposition 43. 

4. The Biginteger class provides a modPow() method to perform modular exponentia- 
tion, but you should consider how to write such a method. Write an efficient method to 
perform modular exponentiation, say a modPow(BigInteger base, Biginteger exponent, 
Biginteger modulus) method. Put it in the BigintegerMath class. For help, refer to the 
following: 
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Implementing Modular Exponentiation. Notice that many cryptosystems require us to 
raise integers to large powers modulo n. It is easy to write an algorithm that does a 
poor job of this. Consider the relatively easy problem of raising 2 to the 340th power 
modulo 341; that is, compute the Inr x of 

2^“° ^ X (mod 341). 

Do we compute 2^"*°, then compute the least nonnegative residue? Of course not; if the 
numbers involved were only moderately larger, the storage space of computers would 
be quickly maxed out trying to contain such a large number. 

Our second alternative may be to write a loop which executes 339 times, begins with 
a value of the base 2, then multiplying the product times 2 each time and taking the Inr 
modulo 341 on each iteration. This is better, but only moderately larger exponents could 
make this far too slow. For example, an exponent larger than a trillion would cause the 
loop to execute more than a trillion times, and even supercomputers would take a while 
to crank through such a loop. 

A much better alternative is to do repeated squarings and multiplications, taking 
the Inr after each operation. To see this, we rewrite as 

2340 

= 2 ™ 

= (2‘™)2 

= ((2*^)")' 

= 

= (({2{2^^'^)Yf? 

= (((2((2^m^ff 

= 

= ((i2((2{2^-^ffffff 

= (({2((2{(2^fffffff 

= (((2((2((2^-^^yfffff? 

= ((i2((2{(2i2^)Yfffff)\ 

Computing 2^'*° modulo 341 then becomes a matter of calculating 

- mii2({2(4fff)Yfff 

- m{{2({32fffffff 



258 


Chapter 1 3 


Exponential Congruences 


- 

- miAffff 

- 

- ( 12)2 

^ 1 (mod 341). 

Writing these computations out is far uglier than actually doing them. You will notice 
that calculating modulo 341 this way only requires 9 squarings, and only 3 multi- 
plications by the base 2. This is a dramatic improvement over 339 multiplications, and 
this improvement becomes even more obvious as we use much larger exponents. 

To do this, it may help to look at the binary representation of 340; that is, 

340= 101010100(base2) 


When calculating the Inr x of 


22“° ^ X (mod 341) 

You may see an efficient way to determine when to square, and when to multiply by 
the base. 

5. Write the following constructor for the Int class. 

public Int (int bitlength, int certainty. Random r) ; 

It should generate probable primes of the desired bitlength. They should be prime with 
probability exceeding 1 - 0.25“"““b 



CHAPTER 14 
Exponential Ciphers 


In the last chapter, we discussed how to solve congruences of the form 

= b (mod p) 

for X, where a and b are known, and p is prime. Cryptosystems based on exponential con- 
gruences can be quite difficult to crack. We will consider such ciphers now. 


14.1 DIFFIE-HELLMAN KEY EXCHANGE 

The first public key scheme was invented by Diffie and Heilman. Though it could not be 
used to send messages, it could establish secret keys for use in secret key cryptosystems. An 
eavesdropper “tapping the line” would be unable to determine what the generated key was. 
The steps to Diffie-Hellman (DFH) are as follows: 

1 . Two users agree on using a large prime p, and g, a generator modulo p. At current lev- 
els of computing power, p should be at least 1024 bits in length. It doesn’t matter if a third 
party hears this exchange and knows these numbers g and p. 

2. Next, user 1 chooses a private number, say x. User 2 chooses his own secret number, say 

y- 

3. User 1 then calculates g^ (mod p) and sends this quantity to User 2. User 2 similarly 
computes g^ (mod p) and sends this to User 1. 

4 . User 1 then takes the value received from User 2 and raises it to his x power, and User 
2 likewise computes the value received from User 1 to his y power. Thus, they both com- 
pute K = {g’^y = g’^ = (g^y (mod p). This value K can then be used as a key in subse- 
quent secret key sessions. 
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14.2 WEAKNESSES OF DIFFIE-HELLMAN 

Why is this secure? Note that even if a third party is listening, and hears all of the follow- 
ing transmissions, he will know the value of g, p, g‘, and g'. Is this enough to compute the 
K value? No! In order to compute K, the eavesdropper must do either of two things: 

• Raise to the y power (mod p), which he cannot do because he does not know y, or 

• Raise g^ to the x power (mod p), which he cannot do because he does not know x. 

Note that though the eavesdropper does not know x or y, he does know g' and g’’. How 
easy is it to obtain x, for example, if you know what is? Nearly impossible! This is, of 
course, the discrete logarithm problem, and it means solving a congruence of the form 

z = (mod p) 

forx. We know this problem is intractable when the modulus p is large, and when g is a gen- 
erator modulo p. Thus, anyone using DFH with confidence in the difficulty of the discrete 
logarithm problem can generate as many keys as desired and use them with other cryp- 
tosystems. 

Later we will see a Diffie-Hellman Key Exchange. To do this, we will need to cover 
some of the Java networking classes, so I’ve saved this topic for the upcoming chapter. 
Establishing Keys and Message Exchange. 

14.3 THE POHLIG-HELLMAN EXPONENTIATION CIPHER 

This cipher is based on Fermat’s Little Theorem (FLT), and is called the Pohlig-Hellman 
exponentiation cipher. Let p be a large safe prime, and let e be some integer relatively prime 
top — 1. At current levels of computing power, p should be at least 1024 bits in length. Our 
plaintext message P is a nonnegative integer less than p. The enciphering transformation is 

C=P^ (mod p),0<P<p,0<C<p. 

To decrypt, we must first find an inverse of e modulo p — 1, call it d. We know this 
inverse exists because e is relatively prime to p — 1 ; thus, d must satisfy the congruence 

ed= I (mod p — 1). 

This congruence has a unique solution for d modulo p — 1 and is easily solved using the 
extended Euclidean algorithm. Once d is calculated, one may decrypt in the following way: 

P^C' (mod p). 

Why does this work? Why does raising the ciphertext to the d power recover the plain- 
text? If we recall Fermat’s Little Theorem, it is easy to show why: 

& 

^ {p^Y 

— ped 
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= pkij’ I) + 1 (Since ed = I (mod p — 1), ed = kip — 1) + 1 for some integer k.) 

^ (PP - ^fP 

= 1*/* (Here is where FLT comes in.) 

= P (mod p). 

Note that the conditions in the hypothesis of Fermat’s Little Theorem are satisfied; that 
is, p is prime and does not divide P, a nonnegative integer less than p. 


14.4 WEAKNESSES OF THE POHLIG-HELLMAN CIPHER 

Suppose we are using Pohlig-Hellman and manage to get our hands on the plaintext P asso- 
ciated with some ciphertext C. Finding the encryption key e then means solving the con- 
gruence 

C = P’’ (mod p) 

for e. This is an exponential congruence, and as we know, these are quite difficult to solve. 
Thus, when using this cipher, even if we obtain some plaintext knowing that it corresponds 
to certain ciphertext, it still does not help us in cracking the cipher. Hence, the Pohlig-Hell- 
man cipher is resistant even to a known plaintext attack. It is very important that a cipher 
not be vulnerable to such an attack, since it is considered too great a security risk. This 
exponentiation cipher is quite resistant to cryptanalysis, provided the proper precautions 
are taken. We list some of the potential weaknesses of this cipher. 

Inadequate Block Size The block size (and thus the prime modulus p) must be cho- 
sen large enough; say greater than 500 decimal digits for the prime p. 

Weak Primes The quantity p — I should have at least one large prime factor, otherwise 
p could be vulnerable to certain discrete log finding algorithms. 

Low Order Messages modulo p Since we encrypt with Pohlig-Hellman using the 
transformation 


C = P^ (mod p), 

the plaintext message may not be a generator modulo p, and in fact may have low order. This 
makes the discrete logarithm problem easier to solve. Some method must be employed to 
ensure the message is of high order modulo /?; perhaps by judicious use of salt. Note finally 
that Pohlig-Hellman is a secret key cipher. Divulging the encryption key e to anyone is the 
same as handing them the decryption key d, since finding it merely means solving the con- 
gruence ed = I (mod p — 1) for d, which is very easily done. 

Memoryless Cipher Pohlig-Hellman is a static cipher. That is, it always maps a par- 
ticular plaintext block to the same ciphertext block. We discussed CBC earlier to cope with 
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this problem, but here we will cover a different solution. It has some advantages over CBC, 
but can only be used for a secret key cipher. 

14.5 CIPHER FEEDBACK MODE (CFB) 

Like CBC, CFB uses an initialization vector (IV) to start the encryption and decryption. 
What may seem strange is that only the encryption transformation is used for both encryp- 
tion and decryption; the decryption key is never needed. (This makes CFB unsuitable for 
public key ciphers, of course.) 

Suppose the cipher maps m-bit blocks to «-bit blocks, where m<n. Let Ei^{x) denote the 
encipherment of x using the secret encryption key k. The IV is an m-bit quantity that need 
not be secret. Let r be a positive integer not exceeding n, and divide the plaintext message 
into r-bit blocks, x^, X 2 , . ■ ■ , We proceed as follows; 

1. Let li = IV 

2. For i from I through w do: 

a) Let Ui = E^Qi). 

b) Let tf be the r least significant bits of Uj. (Suppose the least significant bits are to the 
right.) 

c) Let Cj = X; © tf. 

d) Shift /; toward the left r bit positions, and append c,; assign this value to 

The ciphertext is the set of r-bit blocks Cj, C 2 , . . . , c„. Figure 14. 1 is a diagram of the CFB 
mode of operation. 

To decrypt, we go through nearly the same process, with only the ciphertext blocks and 
plaintext blocks exchanging roles in step 2.(c). 


FIGURE 14.1 
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1. Let /i = IV 

2. For i from 1 through w do: 

a) Let [/,. = £,(/,). 

b) Let t, be the r least significant bits of f/,. (Suppose the least significant bits are to the 
right.) 

c) Let Xi = Ci 0 ?/. 

d) Shift /; toward the left r bit positions, and append c,; assign this value to 

This cipher mode has a great benefit; using it we can process message blocks which are 
smaller than the cipher block length. This is necessary for some applications, in which a sin- 
gle byte (or even a bit) must be processed as soon as it enters the stream. (Many networked 
applications work this way; telnet, for example.) 

CFB has an advantage over CBC, in that errors do not propagate very far down the 
stream. With CBC, each ciphertext block is produced based on the previous ciphertext block, 
and a single bit inversion in one of these blocks changes all of the blocks following it. This 
is not likely to happen during the encryption phase, but is quite possible on the receiving end 
of the message, after it has passed possibly thousands of miles over a noisy channel. One 
incorrect bit in any block destroys all the blocks following. 

A bit error using CFB propagates only a small distance. If you see how each ciphertext 
block is used, you will see why. In the ith step of the algorithm, a ciphertext block c, is 
appended to a left- shifted /,, then continues to be shifted left until it is eventually shifted out 
of the m-bit register. If the bit error is in block c„ for example, then it will only affect those 
blocks processed while c, remains in the register. 


Example. We will use CFB with Pohlig-Hellman, using a small prime. In reality, a safe 
prime at least a thousand bits in length should be used. The quantities will be expressed in 
binary. We will process 3 bits of the message at a time. Suppose the prime modulus is 


p= 1101011111111, 

the encryption exponent is 

e= 111111110000, 


the initialization vector is 


iv= 10110011, 

and the message (divided into 3 -bit blocks) is 

Xi = 101, X2 = 110, X3 = OIL 
We begin by setting /; = to the initialization vector: 

/j = iv= 10110011. 

We then compute 

Ml = V ^ 0101101100011 (mod p), 
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and fi is the three rightmost bits: 

ti = 011. 

This is 0 -ed with the first plaintext block to yield the first ciphertext block. 

Cl = fi© 101 =011 ©101 = 110 

We now form the next value I2 by shifting /[ to the left three bits, and appending Ci. The 
three most significant bits of I^ are lost. 

/ 2 = 10011110 . 

From here on out, the process goes exactly the same way: 

111101111 (modp) 

t2=lll 

C2 = t2© 110 = 001 
/ 3 = 11110111 

c/3 ^ 73-^ ^ 1011100100 (mod p) 

= 100 

C3 = t3©011 = 111 

The final ciphertext message (in 3 -bit blocks) is: 

Ci= no, C2 = 001,C3= 111 


Java Algorithm Using the Biglnteger class in Java, it is easy to write code to perform 
Pohlig-Hellman exponentiation encryption/decryption. Here, we add a couple of methods, 
pohligHellmanEncipherO and pohligHellmanDecipher(), to our Ciphers class. It calls the 
same pad(), block(), unPad() and unBlock() methods we defined earlier, but it does not use 
salt, or CFB. You will be asked to do CFB in the exercises. 


import j ava . math . * ; 
public class Ciphers { 

public static byte[] pohligHellmanEncipher (byte [ ] msg, Biglnteger e, Biglnteger p) 

{ 

//Compute the plaintext block size 
int blockSize= (p .bitLength ( ) -1) /8; 

//Check the enciphering exponent 

if ( ! (p. subtract (BiglntegerMath. ONE) .gcd(e) . equals (BigIntegerMath. ONE) ) ) 
throw new IllegalArgumentException 

("Enciphering key is not relatively prime to (modulus minus one)."); 
byte ba[] [] =block(pad(msg,blockSize) ,blockSize) ; 

//Begin the enciphering 
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for (int i=0;i<ba. length; i++) ba [i] =getBytes (new 
Biginteger (l,ba[i] ) . modPow ( e , p ) ) ; 

//Return to a ID array. 

//The ciphertext block size is one byte greater than plaintext block size, 
return unBlock (ba, blockSize+1 ) ; 

} 

public static byte[] pohligHellmanDecipher (byte [ ] msg, Biginteger d, Biginteger p) 

{ 

//Compute the ciphertext block size 
int blockSize= (p .bitLength ( ) -1) /8+1; 

//Check the deciphering exponent 

if ( ! (p. subtract (BigIntegerMath.ONE) .gcd(d) .equals (BigIntegerMath.ONE) ) ) 
throw new IllegalArgumentException 

("Deciphering key is not relatively prime to (modulus minus one)."); 
byte[] [] ba=block(msg,blockSize) ; 

//Begin the deciphering 

for (int i=0;i<ba. length; i++) ba [ i] =getBytes (new 
Biginteger (l,ba[i] ) .modPow(d,p) ) ; 

//Go from blocks to a ID array, and remove padding; return this 
return unPad (unBlock (ba, blockSize-1 ) , blockSize-1 ) ; 

} 

//...Other methods 

} 

An applet (called TestPohligHellmanCipherApplet) to view the behavior of this cipher 
can be run from the book’s website. The applet generates a safe prime to use as the modu- 
lus. The applet actually uses a salted version of Pohlig-Hellman. You will see that if you enci- 
pher the same plaintext multiple times, you will receive a different ciphertext each time. The 
methods to encipher/decipher this way are in the Ciphers class. 

public static byte[] pohligHellmanEncipherWSalt 
(byte[] msg, Biginteger e, Biginteger p, SecureRandom sr) { 

//Compute the plaintext block size 
int blockSize= (p .bitLength ( ) -1) /8; 

if (blockSize<5 ) throw new IllegalArgumentException 
("Block size must be >= 5 bytes"); 

//Check the enciphering exponent 

if (! (p. subtract (BigIntegerMath.ONE) .gcd(e) . equals (BlglntegerMath. ONE) ) ) 
throw new IllegalArgumentException 

("Enciphering key is not relatively prime to (modulus minus one)."); 
byte[] [] ba=block(pad(msg,blockSize-4) ,blockSize-4) ; 

//Begin the enciphering 
for (int i=0 ; i<ba . length; i++ ) { 
ba [i] =addSalt (ba [i] , sr) ; 

ba [i] =getBytes (new Biginteger (1 , ba [i] ) .modPow(e,p) ) ; 

} 



266 Chapter 14 Exponential Ciphers 


//Return to a ID array. The ciphertext block size is one byte greater than 

//plaintext block size. 

return unBlock (ba, blockSize+1 ) ; 

} 

public static byte[] pohligHellmanDecipherWSalt (byte [ ] msg, Biginteger d,Biglnteger 
P) { 

//Compute the ciphertext block size 
int blockSize= (p .bitLength ( ) -1) /8+1; 

//Check the deciphering exponent 

if {! (p . subtract (BigIntegerMath. ONE) .gcd(d) . equals (BigIntegerMath. ONE) ) ) 
throw new IllegalArgumentException 

("Deciphering key is not relatively prime to (modulus minus one)."); 
byte[] [] ba=block(msg,blockSize) ; 

//Begin the deciphering 

for (int i=0 ; i<ba . length; i++) { 

ba [i] =getBytes (new Biginteger (1, ba [i] ) .modPow(d,p) ) ; 
ba [i] =removeSalt (ba [i] ) ; 

} 

//Go from blocks to a ID array, and remove padding; return this 
return unPad (unBlock (ba, blockSize-5 ) , blockSize-5 ) ; 

} 

You can see that these methods call a couple of helper methods, addSalt() and 
removeSaltO, also in the Ciphers class. 

//Method to add salt to blocks 

private static byte[] addSalt (byte [ ] b, SecureRandom random) { 
byte[] answer=new byte [b. length+4] ; 
byte[] salt=new byte[4]; 
random. nextBytes (salt) ; 

//Put salt in front 

System. arraycopy (salt , 0 , answer, 0,4) ; 

//Copy the message over 

System. arraycopy (b, 0 , answer, 4, b. length) ; 
return answer; 


//Method to remove salt 

private static byte[] removeSalt (byte [ ] b) { 
byte[] answer =new byte [b. length-4] ; 

//Copy the message over 

System. arraycopy (b, 4, answer, 0 , answer. length) ; 
return answer; 
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FIGURE 14.2 


14.6 



Figure 14.2 is a screen shot of TestPohligHellmanCipherApplet. Give it a try and see 
how it works. 

THE ELCAMAL CIPHER 

Since DFH, there has been an explosion of public key algorithms. The proposed national 
standard, backed by the National Security Agency (NSA), is called ElGamal. Though it is 
a very interesting algorithm, it is possible that NSA has already broken it, which could 
explain their enthusiasm for it. ElGamal is similar to Diffie-Hellman key exchange and 
Pohlig-Hellman in that breaking it requires solving the discrete logarithm problem. This is 
opposed to RSA (which we will soon discuss), which depends on the intractability of fac- 
toring integers with large prime factors. 

This is how ElGamal works: Eirst, the recipient of a message must choose a large ran- 
dom safe prime p, and a generator g modulo p. At current levels of computing power, p 
should be at least 1024 bits in length. Then he selects a random integer a such that 1 < a < 
p — 1, and computes the least nonnegative residue r of g" modulo p. That is, 

r=g“ (mod p) (0 < r < p). 

He makes public the values p, g, and r. The private key is a. 

Now, for someone to send a message to this individual, she must do the following: Sup- 
pose P is the plaintext message, considered as an integer, with 0< P <p. The sender then 
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selects a random integer k such that 1 < A: < ;? — 2 (it is very important that the sender choose 
a different random value for each message); then she computes the two values 

c = g* (mod p) (0<c <p) 

P{g‘‘f (mod p) iO<d< p). 

The ciphertext to send is the pair of values c and d', that is, 

C = (c, d). 

The intended recipient decrypts C by using the private key a to first compute the Inr z of 
an inverse of c“ modulo p; that is, 

z = (c“)' (modp) (0<z<p). 

He then recovers the plaintext P by computing 

P = zd (mod p) (0 < P < p). 

Why does this last computation recover the plaintext? If one references how each quan- 
tity was created, it becomes obvious: 

zd ^ {€“)' -P-/^ {{g’^yy ■ P ■ ig^y ^ (/*)' ■g‘"‘-P^P (mod p). 

Example. We will now demonstrate ElGamal using very small numbers. The intended 
recipient first chooses a prime p = 2357, and g = 2, a generator modulo 2357. She then 
chooses a random integer a = 2001 which will serve as the private key. She then computes 

r = 2034 ^ 2^“' (mod 2357). 

She makes public the values of p, g, and r. 

Suppose now someone wishes to send the message (regarded as an integer) 

P = 1622 

to the aforementioned recipient. She must first generate a random integer k = 835 then com- 
pute the two values 

c = 731 ^ 2*3^ (mod 2357) 

^/ = 1326 ^ 1622 • 2034*^^ (mod 2357) 

She then sends these 2 values; the ciphertext is 

C=(731, 1326) 

To decrypt, the recipient must first find an inverse of c" modulo p\ that is, 
z = 794 ^ 1980' ^ (73 P“')' (mod 2357). 

She then retrieves the plaintext by computing the Inr of zd modulo p. 


P = 1622 = 794 ■ 1326 (mod 2357). 
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Note that ElGamal basically doubles the size of the message. For this reason, cryptog- 
raphers often ignore the national standard in favor of other cryptosystems. 

□ 

System-Wide Parameters Note that there is no particular reason why everyone in 
a system could not use the same values for the prime p and the generator g with ElGamal. 
Each individual would only then need to choose a private value for a. This has been sug- 
gested, and has received limited use in practice. 

7 WEAKNESSES OF ELGAMAL 

ElGamal can be broken provided proper precautions are not taken. We describe the most 
important weakness here. 

Equal Encryption Exponent Attack It is very important that when enciphering 
using the transformations 

c = (mod p) (Q<c<p) 

d = Pr^ = Pig‘‘)'‘ (mod p) (Q<d<p). 

that the sender choose a different random value of k for each plaintext message. If the mes- 
sage must be separated into blocks, a different value of k must be used on each block. If not, 
plaintext can be easily derived by an adversary. To see this, suppose the same value for k 
was used to encipher the plaintext messages P and P . Their corresponding ciphertext pairs 
are (c, d), and (c*, cf). Note then that we have 

d • (/)' - Pig^f ■ {P^g^fy (mod/7), 

where d' and {ct)' are inverses of d and (f modulo p, respectively. Thus 

P* ■ d ■ (d*y = P (modulo p). 

Thus, if either message, P or P , were known to an adversary, they could easily derive 
the other message. Thus, this is a known plaintext attack coupled with carelessness on the 
part of the sender. If the sender always used the same value for k, an adversary would need 
only one plaintext message to retrieve any others. 

Example. Here we see this type of attack, which you will be asked to program in Java. We 
begin by finding a safe prime: 

p=32 13876088517980551083924184682325205044405987565585670609523 

It turns out that g = 2 is a generator for this prime. The sender’s private ElGamal key will 
be: 

a = 1897456254164942343917965235766273117568497123443633417036846 
We compute the sender’s public key value r as the Inr of g" modulo p: 


r= 2063540830854289477395627063716322702415230040026373835561574 
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To execute this attack we have two plaintext messages; suppose the first is unknown to 
the adversary: 

P = 30249875309285709328759302875930285709327590347524096346 

The second plaintext message, however, is known to the adversary: 

P* = 9238652389765892365982365826589265892569823659826892659823 

We will choose a random k for encryption, but we will make the mistake of using the same 
k for both messages: 

A: = 2388424515437026664851549783676880762378680269832085250306583 

We now compute the ciphertext values for both messages, and send them. The adversary 
now has both ciphertext messages. 

c = g'‘ (mod p) = 

1642888020851138839985143747652209853264823298182518021833998 
d = P ■ (mod p) = 

242369927295936507 1 2999 1 9696965347809 1 280 1 909834 1 877537393 147 
c* = c = g'' (mod p) = 

1642888020851138839985143747652209853264823298182518021833998 
d* = p* ■ ^ (mod p) = 

1 39450079 15236963673054425267 1 29053 12818729871 045966459248084 

With this information, the adversary computes inverse of ct modulo p\ this is easily done: 

((f) ' = 1711 6426930002101 4098269930428606 19413933561 6620654362864 1 66 

The adversary can now obtain the first plaintext message without decrypting, by com- 
puting the Inr of P* ■ d ■ (cf)' modulo p: 

30249875309285709328759302875930285709327590347524096346. 

This should convince you that you should never use the same value for k to encrypt mul- 
tiple messages. 

□ 

14.8 THE RSA CIPHER 

Rivest, Shamir, and Adleman created the RSA cipher (hence the acronym RSA). They were 
among the first to patent their work in public key cryptography, and they even claimed their 
patent included all forms of public key cryptography! Regardless, their patent has now 
expired. 

RSA works like this: 

1 . The receiver of a message generates two large strong primes, p and q, forms their prod- 
uct, say n = pq, and makes public the value of n. At current levels of computing power. 
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n should be at least 1024 bits in length. Everyone knows n, but not its two factors, p or 
q. 

2. The receiver then chooses an integer e <n, such that ie,{p — l){q — 1)) = 1. The value 
for e is made public. 

3. The receiver also computes a decryption key, d, which is an inverse of e modulo 
(p — 1)((? — 1). This inverse exists since e was chosen relatively prime to (p — 1) 
(q — 1). That is, d must satisfy the congruence 

ed= I (mod (p — l)(q — 1)). 

The sender of the message can send a message P < nhy computing with the encipher- 
ing transformation 

C = P" (mod n) 0< C <n. 

5. The receiver gets the ciphertext message C, and can retrieve the plaintext by computing 
P = Cf (mod n). 

This cipher looks remarkably similar to the Pohlig-Hellman exponentiation cipher. 
Decryption worked in that case because of Fermat’s Little Theorem. FLT will also help us 
prove that decryption works here. Note that since 

ed= \ (mod (p — \){q — 1)) 

there is an integer k such that ed = \ + k(p — l)(q — 1). Now, suppose the plaintext mes- 
sage P is relatively prime to p; that is, (P, p) = 1. Then, by FLT, 

pp-i ^ 1 (mod p). 

Thus, we also have the following: 

ped — pl+k{p-\){q~l) ^ p^p{p-y)^k[q-~l) ^ p . j%+l) = p (mod p) 

On the other hand, even if P is not relatively prime to p, we still have 

P^‘‘^P (mod p), 

since both sides are congruent to 0 modulo m. Similarly, we can also show that in all cases, 

P^‘‘ = P (mod q). 

Now, since p and q are certainly relatively prime, by proposition 26 we have 

P^‘‘^P (mod n). 


Now, simply note that 

Cd ^ ^pey ^ ped ^p 

and we have our proof that decryption always works, whether or not the plaintext message 
P is relatively prime to the modulus n. 



272 Chapter 14 Exponential Ciphers 


I£xAMPLE. We will demonstrate RSA using small numbers. To establish a public and private 
key, an individual first selects two primes, say p = 563 and q = 2357. So, n = 563 • 2357 = 
1326991. Finally, he selects an integer e = 3 relatively prime to (p — l)(q — 1) = 1324072, 
and computes the inverse of e modulo (p — l)(q — 1 ) by solving 

3d^ 1 mod (1324072) 

for d. This yields 

d^ 882715 (mod 1324072). 

The values for n and e are made public; d, p, and q remain private. 

Suppose someone wants to send the message (regarded as an integer) 

P= 1107300 

to the aforementioned individual. They must simply calculate and send the ciphertext 

C= 875102 ^ 1107300^ (mod 1326991). 

To decrypt, the recipient uses the decryption key to derive the plaintext thus; 

P = 1107300 ^ 875102'^®2’15 (mod 1326991). 

□ 

14.9 WEAKNESSES OF RSA 

RSA can be compromised given certain conditions. We will examine these issues here. 

Small Encryption Exponent It has been suggested that a small encryption expo- 
nent in RSA be used since it speeds up encryption. For example, ah users could use e = 3 
as their public encryption key. This doesn’t help recover their decryption exponents, since 
this still seems to involve factoring each of their moduli (each still chooses a different mod- 
ulus). However, a small common value for e allows one to compute the eth root (with the 
aid of the Chinese Remainder Theorem) when the same message is sent to multiple entities. 
Recall that a similar problem occurs with the Rabin cipher. 

Suppose e = 3 for some individual, and they send the same message m (enciphered) to 
three different entities, having respective moduli Hj, and rij,. The ciphertext sent to each 
entity will be denoted Ci, C 2 , and C 3 . An eavesdropper intercepting these messages merely 
has to find the simultaneous solution x to the system 

X = Cl (mod 111 ) 

x = C 2 (mod 112 ) 

X = C 3 (mod n^). 

Since < nin 2 nj,, (and these moduli are almost certainly pairwise relatively prime) the 
Inr of the x obtained using CRT is in fact, m^. Thus, to recover m, one needs only compute 
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the ordinary cube root of x. The eavesdropper needs no knowledge of the private decryp- 
tion keys. 


Example. Here we see this type of attack. You will be asked to program this in Java. We 
will use e = 3, a small RSA encryption exponent. The private primes pi and q\ for the first 
recipient will be 

pi = 1797693134862315907729305190789024733617976978942306572734300811577 
326758055009631327084773224075360211201138798713933576587897688144166224 
928474306394741243777678934248654852763022196012460941194530829520850057 
688381506823424628814739131105408272371633505106845862982399472459384797 
16304835356329624224137859 

ql = 3595386269724631815458610381578049467235953957884613145468601623154 
653516110019262654169546448150720422402277597427867153175795376288332449 
856948612789482487555357868497309705526044392024921882389061659041700115 
37676301 36468492576294782622108 1 65447432670 1021369 17259647989449 1 8769594 
32609670712659248448276687 

and so the public modulus of the first recipient is 

n\ = 6463401214262201460142975337733990392088820533943096806426069085504 
931027773578178639440282304582692737743592184379603898823911830098184219 
017630477289656624126175473460199218350039550077930421359211527676813513 
655358443728523951232367618867695234094116329170407261008577515178308213 
161721510479824786077168039180583408274776831691763152279716383800031412 
340152137152869819345741269583108122123538437343928423821045606152759418 
497127367645255205598014712084444888413036198687032378283647381146628192 
392272381 84943 188233259835607 113670605755573747578481214665 1136260498654 
127694383482536657973 1 809108470421496863793 133. 

The private primes p2 and q2 of the second recipient will be 

p2 = 2876309015779705452366888305262439573788763166307690516374881298523 
722812888015410123335637158520576337921822077942293722540636301030665959 
885558890231585990044286294797847764420835513619937505911249327233360092 
301410410917479406103582609768653235794613608170953380771839155935015675 
460877365701273987586195643 

q2 = 2876309015779705452366888305262439573788763166307690516374881298523 
722812888015410123335637158520576337921822077942293722540636301030665959 
885558890231585990044286294797847764420835513619937505911249327233360092 
301410410917479406103582609768653235794613608170953380771839155935015675 
460877365701273987586198999 

and so the public modulus of the second recipient is 

n2 = 8273153554255617868983008432299507701873690283447163912225368429446 
311715550180068658483561349865846704311797996005892990494607142525675800 
3425670 1 093076047888 1 504606029054999488050624099750939339790755426321 297 
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478858807972510657577430552150649899640468901338121294090979219428234512 
847003533414175726178704338701976613396997023846923989429400915267675371 
224072946225492282228797405663320 1 82508 126374511091 62228995 890265099 1 068 
621751297833605381900481249551537274059332054881942134979356683844461315 
85719769748108125895563260802289655241774630887967226547 1 807920624327017 
057749253168131337219010124364276404953144761357. 

The values for the third recipient follow: 

/73= 35411102995737846719623366518168333594298050196755774758706943392443 
66354248746209746766217298983045 1 40 1 74450682725781 1 09897 1539574175429169 
040491337203319097489754734608074368268882013823897755753670014930080870 
848303015557260084193760775969411802919046594091514825570101726091141999 
723275760769674074440206 1 

ql, = 5372505775803011191699027186229436115154643737621173737244331649963 
8397 18830571435 1 36309031205287665049557609629101429655500045920075361837 
470441790476989175818634152591423832165782821767069215312532720454065486 
795987726325808014350172260902692229856033303728223284940139917347963269 
3304050579950 1161 62025577 

n3 = 1902463553721568939032257823502926001674773697587598247139701501558 
833032560573732156154986990101160748711956621018724350255640687762304205 
144517420437252812678611421725439723210501596142807702910144484328413464 
009410879198942831308327834478772050471428586982951345191112660759887497 
098234128606203524070530199477782074583416481614110088865594576679523571 
008070891377916006088569389740523909478410532054423032367945632587585577 
649911547160430568562503586541625305374277808808231279409769887944404948 
587431526155196203679667198209757558869929282570299557397858226950493053 
5780212065956740098961873155687720229453514197. 

Here is the plaintext message, which will be enciphered using the public information of 
all three recipients, and sent to each of them. 

P = 3275628365082365092375902375908237509238750982759082375908273590823 
759087230958732098750932857903287509328750932487509832750983275098327590 
823750983709573092875093287509238587236589723658923659302750943275903428 
573265897265982356982365982356892658923650957809367239856892365982365982 
365982365982365982569825698235698265398236598269852732095689236589237932 
865982365982365987263986598236589726895698236598236598723658972 

The three ciphertext messages follow (remember that all three recipients are using the 
same encryption exponent e = 3): 

cl = 2985228835528562083388427674196356206282147873827945558991685797078 
077854306787783992568624318014109425772341743388920108913938591038814111 
839772619456653274001839218157096089847009660629844237128793654287567350 
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240401106933796831238382712726065503420969945031934587505960500202039271 

010204205064906015443161021845653786752636025260799122554299333085262937 

754681616948053574596664948180936338471404599519393350947311750249336602 

566373054085085654466968467435173138677842771269107786076764683104725159 

085803399247689839480710024231899552955240866564500416082461325382912856 

3981127997579924735517785176219721209395629732 

c2= 16286983518735228505840113496918055700047960329750616066339974975250 
894466786593649586940796439731971714973648579964628952756390697386846725 
808247246350123364251824728684405000577233656908306660838469990709494371 
183440981716872319937648396756921247290698985908758743411248226003010386 
914137647769501871476851826732558313018035079597905992082481553177956845 
505791440702248084940208130754599931889430653577464075295729219681632788 
900620750598115948837855900651606672958729969095386594621689577676203663 
696374637520566486504552000041248343493856740588118792122227244169316401 
46389299122604098725356865820444366292947816563 

c3 = 12567783837800213521200299914797114622076420797206177684473093808580 
938325308332512752655068693755790871997590027458508437 1108056795 1 3 1 83420 
442283465242611891567416821943641070051981230872763796105042888016717025 
300494644541461194457425228032425313318614186520722586565382438019917243 
091905720890203872957452684366165431133548225626913824877304107770894899 
866371960770489484155556132768782853292020545589228629366651712164492852 
409158186141379757758419440311040383774470301077963093119315090023781825 
727351989076473102076691623614368347638568431352532118619990795887055439 
8 1 22042 1 2 1 24790288640996535404057617561 04 1 475 . 

The adversary now simply needs to apply the Chinese Remainder Theorem to find a 
unique solution for modulo n\ ■ n2 ■ n3. In this case, the value obtained for is: 

7"^= 35146644579287030560978762514660233813201904405872999705932115768696 
905737782928494123424667693810639154098057179494678341604252064480085930 
448873399913510559180840627391661278513747773824532131736429578868180533 
546596973051679447607224498688779103441643557427932944735844102120065513 
450152647261203797382245638092253606052730256469061716464027241288668992 
664846323926601472426171907548221063300008782269770133937503368215361341 
424695299633422970257709050340398184758688361230894677215671248555876252 
443718216841326453679475853867288182326358282946314703313981226936021432 
181551344885263869383227262609681750731967113205459444397137846013122862 
368427908741920030361275067287900463396928835345577244527199407924861646 
312092052422402960394100282941179465457702698040031492383614192133451124 
256650262335384033971798138589528092667727448073755938420554419216151431 
513983340263604768937226944910380656153269128104985487494450080601939672 
203312127933868265041404967517875435486001476509867909690981955130557982 
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04847 1 3 1 60979561 1 68757844476643 1 3597829828076647064321 39830408029286 1 040 
181121981874584035357384531261940870073590132259507075848608542622897132 
965830205493142649925057238587095855015428120910267486856492069160267899 
700588571140797942067121441946048. 

Since the adversary knows that must be less than n\ ■ n2 ■ n3, she simply needs to take 
a normal cube root to retrieve the plaintext. 

p = (p3)i/3= 32756283650823650923759023759082375092387509827590823759082735 
908237590872309587320987509328579032875093287509324875098327509832750983 
275908237509837095730928750932875092385872365897236589236593027509432759 
034285732658972659823569823659823568926589236509578093672398568923659823 
659823659823659823659825698256982356982653982365982698527320956892365892 
37932865982365982365987263986598236589726895698236598236598723658972. 

Note that nowhere during this attack does the adversary need to know any of the private 
info of any of the recipients. Of course, this attack can be circumvented by salting mes- 
sages. Another way of getting around this attack is NOT to use a small encryption exponent 
with RSA. 


Common Modulus Attack It has also been suggested for RSA that all entities in a 
system could use the same modulus n. Each user would choose their own distinct enci- 
phering exponent e and its corresponding deciphering exponent d. However, a common 
value for n is far worse than everyone using the same value for e, as it allows anyone know- 
ing a single pair (e*, d*) of exponents to determine the private keys of everyone using the 
same modulus. You should consider how this is done. 


Java Algorithm Following are two methods in the Ciphers class to do encryption and 
decryption using RSA. Neither salt nor CBC is used. Of course, these methods use the 
helper methods in the Ciphers class to block, unblock, pad and unpad. 

public static bytei] RSAEncipher (byte [ ] msg, Biginteger e,BigInteger n) { 

//Compute the plaintext block size 
int blockSize= (n .bitLength ( ) -1 ) /8 ; 
byte[] [] ba=block(pad{msg,blockSize) ,blockSize) ; 

//Begin the enciphering 

for (int i=0;i<ba. length; i++) ba [i] =getBytes (new 
Biginteger (l,ba[i] ) .modPow(e,n) ) ; 

//Return to a ID array. The ciphertext block size is one byte greater than 
plaintext block size. 

return unBlock (ba, blockSize+1 ) ; 

} 

public static byte[] RSADecipher (byte [ ] msg, Biginteger d, Biginteger n) { 

//Compute the ciphertext block size 
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int blockSize= (n.bitLength( ) -1) /8+1; 
bYte[] [] ba=block (msg, blocksize) ; 

//Begin the deciphering 

for (int i=0;i<ba. length; i++) ba [i] =getBYtes (new 
Biginteger (l,ba[i] ) .modPow{d,n) ) ; 

//Go from blocks to a ID array, and remove padding; return this 
return unPad (unBlock (ba, blockSize-1 ) , blockSize-1 ) ; 


The methods to encipher/decipher with salt are also in the Ciphers class. 

public static bYte[] RSAEncipherWSalt 

{bYte[] msg, Biginteger e, Biginteger n, SecureRandom sr) { 

//Compute the plaintext block size 
int blocks! ze= (n. bit Length ( ) -1 ) /8 ; 

if (blockSize<5 ) throw new IllegalArgumentException 
("Block size must be >= 5 bYtes"); 
bYte[] [] ba=block(pad(msg,blockSize-4) ,blockSize-4) ; 

//Begin the enciphering 
for (int i=0 ; i<ba . length; i++ ) { 
ba [i] =addSalt (ba [i] , sr) ; 

ba [i] =getBYtes (new Biginteger (1 , ba [i] ) .modPow(e, n) ) ; 

} 

//Return to a ID arraY- The ciphertext block size is one bYte greater than 

//plaintext block size. 

return unBlock (ba,blockSize+l); 


public static bYte[] RSADecipherWSalt (bYte [ ] msg, Biginteger d, Biginteger n) { 
//Compute the ciphertext block size 
int blockSize= (n.bitLength( ) -1) /8+1; 
bYte[] [] ba=block (msg, blocksize) ; 

//Begin the deciphering 

for (int i=0 ; i<ba . length; i++ ) { 

ba [i] =getBYtes (new Biginteger (1 , ba [i] ) .modPow(d, n) ) ; 
ba [i] =removeSalt (ba [i] ) ; 

} 

//Go from blocks to a ID arraY, and remove padding; return this 
return unPad (unBlock (ba, blockSize-5 ) , blockSize-5 ) ; 



TestRSACipherApplet is on the book’s website to test the RSA methods. The applet actu- 
ally uses a salted version of RSA. You will see that if you encipher the same plaintext mul- 
tiple times, you will receive a different ciphertext each time. (See Figure 14.3.) 
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FIGURE 14.3 
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EXERCISES 

1. Write a pohligHellmanEncipherWCFB() and pohligHellmanDecipherWCFB() method 
in the Ciphers class to use CFB. 

2. Write the elGamalEncipher() and elGamalDecipher() methods in the Ciphers class. 

3. Write the RSAFncipherWCBC() and RSADecipherWCBC() methods in the Ciphers 
class to use CBC. 

4. Write a Java program to retrieve ElGamal messages using the equal enciphering expo- 
nent attack. 

5. Write a Java program to retrieve RSA messages when all entities use the same small 
encryption exponent. 

6 . It has been proposed that each entity using RSA use a common modulus (but distinct 
encryption and decryption exponents). Why is it crucial that each entity choose its own 
modulus? 



CHAPTER 15 

Establishing Keys and 
Message Exchange 


15.1 ESTABLISHING KEYS 

Since its appearance, public key cryptography has been used to establish secret keys over 
an unsecure connection. Thus, communicants with no secret key to share can establish one 
by using a public key protocol, and some public keys generated “on the fly.” 

To demonstrate this key exchange I have written a couple of classes. However, in order 
to see how they work we must cover some of the methods of the Java networking classes. 
To get two computers to talk to each other, we will use two classes from thejava.net pack- 
age: Socket and ServerSocket. A socket represents an abstraction of a connection between 
computers. The way data is transferred between machines is quite complicated, and a socket 
insulates the programmer from this. Thus, socket I/O in most languages is similar to key- 
board I/O, or file I/O. In Java, this is certainly the case. 

To set up a socket between machines, one machine starts out by listening for a connec- 
tion on a designated port (the server) and one starts out by talking to the server (the client). 

In Java, we set up a server by doing something like this: 

ServerSocket ss = new ServerSocket ( 5432 1 ) ; 

Socket connectionServerSide = ss . accept () ; 

This server will listen on port 54321 for a request from a client. When it receives such a 
request, the accept() method from the ServerSocket class will create (and return) a socket 
between the server and the client. 

There are 65535 logical ports that a server can use; however, some are set aside for use 
with standard protocols. A list of some of these standardized ports follows. (See Table 15.1.) 
Do not use them unless you are writing a server for that purpose. 

Most standard protocols are on the low end of the range of 1 thru 65535. If you use a port 
greater than 10000, say, you will probably be fine. Another potential problem with running 
a server is that you may not have permission to bind to (listen on) a port. You may need to 
see your system administrator to obtain permission to do this. 

Setting up the client side of a socket is simple. You simply request a connection to a 
server running on a specified port. 
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echo 

7 

discard 

9 

daytime 

13 

ftp-data 

20 

ftp 

21 

telnet 

23 

smtp 

25 

time 

37 

whois 

43 

finger 

79 

http 

80 

pop3 

110 

nntp 

119 

RMI registry 

1099 


Socket connectionClientSide = 

new Socket ( "WupAssGameMachine" , 54321) ; 

The server’s name can be any of the following: 

1 . Its name on a network (if the client is also part of that network), 

2 . Its domain name on the Internet (if it has one), or 

3. Its IP (Internet Protocol) address (this is a number in dotted quad format, like 127.0.0.1). 
Any computer connected to the Internet will have an IP address. 

If anything goes wrong in setting up, the ServerSocket and socket constructors can throw 
various exceptions, as listed in Table 15.2. 


TABLE 15.2 




lOException 

BindException 

lOException 

UnknownHostException 
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How these exceptions are handled is up to the application. Once the socket exists between 
client and server, both client and server can prepare for input and output by using the get- 
InputStreamO and getOutputStream() methods from the Socket class. Each returns an Input- 
Stream object, and an OutputStream object, respectively. We usually pass these objects into 
constructors, which transform the streams into objects that can be more easily read from or 
written to; for example, if the server needs to send text data to the client, the programmer 
may do something like this: 

PrintStream toClient = 

new PrintStream(connectionServerSide.getOutputStreain( ) ) ; 

To send text data, we can use any of the methods from the PrintStream class: 

toClient .println ( "Howdy, client ! " ) ; 

The client can set up output in the same way. To receive text data, the client can set up 
a BufferedReader object, like this: 

Buf f eredReader fromServer = new Buf f eredReader ( 

new InputStreamReader (connectionClientSide . getInputStream ( ) ) ; 

To receive the text data, we have now at our disposal any of the methods from the Buffered- 
Reader class: 

String greetings = fromServer . readLine () ; 

One should close a socket prior to exiting a program, or at any time during the program 
when we wish to break the connection. Either the client or the server can close the socket, 
using the close() method from the socket class, as the server does here: 

connectionServerSide . close ( ) ; 

In Java, attempting to close a Socket which has already been closed does nothing. Server- 
Sockets should also be closed (once the Socket has been closed, of course): 

ss . close ( ) ; 

15.2 DIFFIE-HELLMAN KEY EXCHANGE APPLICATION 

You now know everything you need to know to set up a line of communication between com- 
puters using Java. Hence, I will now show you a couple of programs called DiffieHell- 
manListener (the server) and DiffieHellmanInitiator (the client), which set up a connection 
with each other and establish a secret key over an unsecure line. Here is the code for the 
server side. 

import java. security ; 
import j ava . math . * ; 
import j ava . net . * ; 
import j ava . io . * ; 

public class Dif fieHellmanListener { 

public static void main (String [ ] args) throws lOException { 
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//start by listening on port 11111 
ServerSocket ss=new ServerSocket ( 11111 ) ; 

//Wait for a connection 
Socket socket=ss . accept ( ) ; 

//Open input and output streams on the socket 
Buf feredReader in=new Buf feredReader (new 

inputStreamReader (socket .getlnputStream( ) ) ) ; 

PrintStream out=new PrintStream ( socket . getOutputStream ()) ; 

//Capture p,g,gtox values from client 
Biginteger p=new Biginteger { in. readLine ( ) ) ; 

Biginteger g=new Biginteger ( in. readLine ()) ; 

Biginteger gtox=new Biginteger (in. readLine ()) ; 

//Produce your own secret exponent 
SecureRandom sr=new SecureRandom ( ) ; 

Biginteger y=new Biginteger (p .bitLength () -1 , sr) ; 

//Raise g to this power 
Biginteger gtoy=g .modPow (y , p) ; 

//Send this to client 
out. print In (gtoy) ; 

//Raise gtox to y power-this is the secret key 
Biginteger key=gtox.modPow (y , p) ; 

System. out .println 

("The secret key with "rsocket . getInetAddress ( ) . toString ( ) +" is:\n"+key) 
int c=System. in. read( ) ; 

} 

} 

The client side of this connection is equally simple: 

import java. security ; 
import j ava . math . * ; 
import j ava . net . * ; 
import java.io.*; 

public class Dif f leHellmanlnitiator { 

static Buf feredReader k=new Buf feredReader (new InputStreamReader (System. in) ) ; 
public static void main (String!] args) throws lOException { 

//Make a safe prime and generator 
SecureRandom sr=new SecureRandom () ; 

PrimeGenerator pg=new PrimeGenerator ( 1025 , 10 , sr ) ; 

Biginteger [ ] pandg=pg . getSaf ePrimeAndGenerator ( ) ; 

//Make your secret exponent 

Biginteger x=new Biginteger (pandg [ 0 ] .bitLength () -1 , sr) ; 
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//Raise g to this power 

Biginteger gtox=pandg [ 1] .modPow (x, pandg [ 0 ] ) ; 

//Open a connection with a server waiting for info 

System. out. println("Enter host name or IP address of server:"); 

String host=k. readLine ( ) ; 

//Server shouid be listening on port 11111 
Socket socket=new Socket (host, 11111) ; 

//Open input and output streams on the socket 
Buf feredReader in=new Buf feredReader (new 

inputStreamReader (socket . getlnputStream( ) ) ) ; 

PrintStream out=new PrintStream ( socket . getOutputStream ()) ; 

//Send the values p,g,gtox to server 
out . print in (pandg [0] ) ; 
out.print in ( pandg [1] ) ; 
out .print in (gtox) ; 

//Get the gtoy value from server 

Biginteger gtoy=new Biginteger ( in . readLine ()) ; 

//Raise gtoy to x power-this is the secret key 
Biginteger key=gtoy .modPow(x,pandg [0] ) ; 

System. out .println ( "The secret key is : \n"+key) ; 
k . readLine ( ) ; 


Here is a sample run of the server (which was started first) and the client (started second 
on a different machine). 

Server: 

The secret key with **********/********** is: 

12114199636606924797266840610171527288281060629502849488049381607979 

21289097119134252210652032462292962890192274749104820619339989532999 

29747753068016087465910738004515719368489010404514526849086194982928 

86796661064671158843778504644018420014267514586262260562581776028857 

52446509603402778647138069775001533301 

Client: 

Enter host name or IP address of server: 

•k'k'k'k'k'k-k'k'k-k 

The secret key is: 

12114199636606924797266840610171527288281060629502849488049381607979 
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21289097119134252210652032462292962890192274749104820619339989532999 

29747753068016087465910738004515719368489010404514526849086194982928 

86796661064671158843778504644018420014267514586262260562581776028857 

52446509603402778647138069775001533301 

Here, for reasons of anonymity, I have replaced the computers’ names and/or IP addresses 
with asterisks. 

15.3 MESSAGE EXCHANGE 

Certainly, the most common use of cryptography has been to exchange messages. A natural 
question to ask is, “which cryptographic method is best?” This is a loaded question, because 
the answer is, “It depends.” Most algorithms are superior in some ways, but inferior in oth- 
ers. We can make a table of the ciphers we have covered, as shown in Table 15.3, listing the 
advantages, disadvantages, and weaknesses of each. (I consider a weakness different than 
a mere disadvantage.) Some of the weaknesses can be described as potential weaknesses, 
since they can be corrected. 

15.4 CIPHER CHAT APPLICATION 

I have written a chat program to pass enciphered messages back and forth between a machine 
running as a client, and another running as a server. The two chatters do not need to share 
a secret key, since the client and the server each generate a public key/private key pair, then 
send the public key to the other. It doesn’t matter if anyone “listening in” captures either of 
these public keys. After the client and the server know the other’s public key, either can 
send encrypted messages. 

I should note that the messages in this application are not text, but arrays of bytes. Of 
course, this is because the messages are enciphered. Thus, the PrintStream and Buffered- 
Reader classes are not appropriate for doing 10. We must use something appropriate for 
reading/writing raw bytes, like DataInputStream, and DataOutputStream. 

To create these, we would do something like this: 

DataInputStream in=new 

DataInputStream(connection.getInputStream( ) ) ; 

and 

DataOutputStream out=new 

DataOutputStream{connection.getOutputStream( ) ) ; 

To write an array of bytes to the stream, we could use one of the write() methods from 
DataOutputStream, like this. 

bytel] msg = new byte [100]; 


out .write (msg) ; 
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TABLE 15.3 






Rabin 

Quick encryption — only 
a modular scanning is 
required. 

Can sign messages. 

Relatively slow 
decryption — correct 
root must be found. 
Must be padded with 
redundant bits for 
deciphering. 

Must use strong primes. 
Static cipher — salt or 
CBC required. 

If salt not used, 
vulnerable to chosen 
ciphertext attack, 
adaptive chosen 
ciphertext attack, and 
square root attack. 

Blum- 

Goldwasser 

Quick encryption. 

Stream cipher — can 
work with small quantities. 
Randomization is part of 
the encryption process. 


Vulnerable to chosen 
ciphertext attack. 

Pohlig- 

Hellman 


Secret key cipher — 
distribution of keys 
difficult. 

Must use safe primes. 
Message may be of 
low order modulo p. 
Static cipher — salt or 
CFB required. 

El Gamal 

Not a static cipher — 
randomization is part of 
the encryption process. 
Can sign messages. 

Ciphertext is at least 
twice as long as the 
plaintext. 

Must use safe primes. 
Must use a different 
random value kfor 
each block. 

RSA 

Quick encryption if a 
small enciphering 
exponent is used. 

Can sign messages. 

Decryption relatively 
slow due to modular 
exponentiation to 
large powers. 
Encryption may also 
be slow if a small 
encryption exponent 
is not used. 

Must use strong primes. 
Message may be of 
low order modulo n. 
Static cipher — salt or 
CFB required. 

If small encryption 
exponent is used 
without salt, vulnerable 
to a root attack. 
Vulnerable to common 
modulus attack if multiple 
entities choose to use 
the same modulus. 


To read bytes from the input stream into a byte array, we could use one of the read() 
methods from DataInputStream: 

bytel] buffer = new byte[100]; 

int numBytes = in . read (buf f er ) ; 

After execution of the last statement here, the array buffer will be filled up with as many 
bytes that were read, and this read() method returns how many bytes were read. You should 
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make the input buffer at least as long as the number of bytes you expect to receive, or not 
all the bytes will be read in. This should be adequate for you to understand the byte 10 in 
the chat program that follows. 

ni start with a screen shot of the CipherChat Server, because looking at the GUI helps 
to explain the components we will see later in the code. (See Figure 15.1.) It has a button 
to disconnect from the client (it starts out disabled), a field to type messages in, and an out- 
put area which displays incoming messages, plus information on the connection. 

Here is the code for CipherChatServer, which can be found on the book’s website. I will 
explain the code as I present it. 

java. io . * ; 
j ava . net . * ; 
j ava . awt . * ; 
j ava . awt . event . * ; 
j ava . math . * ; 
j ava . security . * ; 

class CipherChatServer extends Frame implements ActionListener { 

The following are all the objects the server will need. They are: 

1. The graphical components for the chat window. 

2. The objects used for input and output. 

3. The networking objects required to establish a connection. 


15.1 
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4. The crypto objects to store the server’s public and private keys, and to store the public 
key of the client. Two variables store the length of the ciphertext, and the length of the 
plaintext. 

private Button disconnectButton=new Button ( "Disconnect Client"); 

private TextField enterField=new TextField ( ) ; 

private TextArea displaYArea=new TextArea ( ) ; 

private Panel top=new Panel ( ) ; 

private Panel bottom=new Panel ( ) ; 

private DataOutputStream output; 
private DataInputStream input; 
private String message=""; 

private static ServerSocket server; 
private Socket connection; 

private Biginteger p, g, modulus , dec ipherExp, recipModuius ; 
private SecureRandom sr=new SecureRandom ( ) ; 
private int ciphertextBlockSize; 
private int plaintextBlockSize ; 

The constructor does the typical thing for a GUI; it lays out all the components on the 
frame, and displays it. However, this constructor also produces the public and private keys 
of the server when it calls the makeKeys() method, which we will see later. 

public CipherChatServer { ) { 

//Lay components on frame and display it 
super ( "Cipher Chat Server"); 

//Establish keys for RSA cipher 
makeKeys ( ) ; 

setLayout (new GridLayout (2,1) ) ; 
top . setLayout (new GridLayout (2,1) ) ; 
bottom. setLayout (new GridLayout (1,1) ) ; 
add (top) ; 
add (bottom) ; 

disconnectButton. setEnabled ( false) ; 
disconnectButton.addActionListener (this) ; 
top. add (disconnectButton) ; 
enterField. setEnabled (false) ; 
enterField. addActionListener ( this ) ; 
top .add (enterEield, BorderLayout .NORTH) ; 
bottom. add(displayArea) ; 
setSize (400 , 300 ) ; 
show ( ) ; 

} 
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The makeKeysO method is called early by the constructor to set up the sender’s public 
and private keys. Since we use RSA with salt, each communicant can use the enciphering 
exponent e = 3. Of course, each has its own modulus, and deciphering key, which are cre- 
ated here. Strong primes are used. 

private void makeKeys ( ) { 

PrimeGenerator pg=new PrimeGenerator ( 513 , 10 , sr ) ; 
do { 

p=pg . getStrongPrime ( ) ; 

} while (p . subtract (BigintegerMath. ONE) .mod (BigintegerMath. THREE) .equals 
(BigIntegerMath. ZERO) ) ; 

do { 

q=pg . getStrongPrime ( ) ; 

} while (q. subtract (BigintegerMath. ONE) .mod (BigintegerMath. THREE) .equals 
(BigintegerMath. ZERO) ) ; 
modulus=p .multiply (q) ; 

//Use 3 as enciphering exponent - OK since we are using salt 
decipherExp=BigIntegerMath. THREE .modinverse 

(p. subtract (BigintegerMath. ONE) .multiply (q. subtract (BigintegerMath. ONE) ) ) ; 
ciphertextBlockSize= (modulus .bitLength ( ) -1 ) /8+1 ; 
plaintextBlockSize=ciphertextBlockSize-6 ; 

} 

Note that the plaintext block size is computed as 6 bytes less than the ciphertext block 
size. This is because we need to take off 1 byte to get the plaintext under the modulus (all 
plaintext blocks must be smaller than the modulus), 4 bytes for the salt, and 1 byte for a pad 
byte (remember that the decipher method always removes padding). 

Once the keys exist, they can be sent to the other communicant. This task is handled 
here by the exchangeKeys() method. It will be called from a point in the program soon after 
a socket has been set up between the two parties. 

private void exchangeKeys ( ) { 
try { 

byte[] buffer=new bytelciphertextBlockSize]; 
input . read (buffer) ; 

recipModulus=new Biginteger (1, buffer) ; 
output .write (modulus . toByteArray ( ) ) ; 

} catch (lOException ioe) { 

System. err. println("Error establishing keys"); 

} 

} 


Two components on this window can generate an ActionEvent object: 

1. The user hit the enter key while in the message entry field. This means a message is to 
be sent. The text is captured from the field, enciphered using the recipient’s public key, 
and sent down the output stream. 
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2. The user clicked on the disconnect button. This sends a final one byte message of ZERO 
(enciphered) to the recipient. This special message signifies that this is the last trans- 
mission for the connection. 

These cases are handled here in the actionPerformed() method. 

public void actionPerfonned(ActionEvent e) { 

Obj ect source=e . getSource ( ) ; 

//User pressed enter in message entry field-send it 
if (source==enterField) { 

//Get the message 

message=e . getActionCommand { ) ; 

try { 

//Encipher the message 

if (message . length ( ) >plaintextBlockSize) 

message=message . substring ( 0 , plaintextBlockSize ) ; 
byte [ ] ciphertext=Ciphers . RSAEncipherWSalt 

(message . getBytes ( ) , BigintegerMath. THREE, recipModulus, sr) ; 

//Send to the client 
output .write (ciphertext ) ; 
output . flush ( ) ; 

//Display same message in output area 
displayArea . append ( " \n" +message ) ; 
enterField. setText ( " " ) ; 

} catch ( lOException ioe ) { 

displayArea. append ("\nError writing message"); 

} 

//Server wishes disconnect from the client 
} else if (source==disconnectButton) { 
try { 

byte[] lastMsg=new byte[l]; 
lastMsglO] =0; 

output .write (Ciphers .RSAEncipherWSalt 

( lastMsg, BigintegerMath . THREE, recipModulus , sr) ) ; 
output . flush ( ) ; 
closeAll ( ) ; 

} catch (lOException ioe) { 

displayArea. append ("\nError in disconnecting"); 

} 

} 

} 

Note that before a message is encrypted and sent, it may be truncated so that it does not 
exceed the plaintext block size. 

The go() method is where the server does most of its work. It continually loops (until 
someone closes the application) listening for incoming connections. When the accept() 
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method returns a Socket object, a connection exists. The server then opens up its 10 streams, 
and exchanges its public key (just the modulus — both parties will use 3 as their encipher- 
ing exponent) with the client. It then enables the disconnect button on the frame, and makes 
the message entry field editable. Finally, it enters into a loop, listening for messages from 
its input stream. If the disconnect message 0 is sent from the client, or if there is no more 
input to be read, the server disconnects by calling the closeAll() method, which you will soon 
see. The server then loops back up to the top, and waits for another connection. 

public void go ( ) { 
try { 

while (true) { 

display Area. setText ( "Waiting for connection"); 

//accept)) halts execution until a connection is made from a client 
connection = server . accept ( ) ; 

display Area. append ("\nConnection received from:" 

+connection.getlnetAddress ( ) .getHostName ( ) ) ; 

//Set up the 10 streams 

output = new DataOutputStream{connection.getOutputStream( ) ) ; 
output . flush ( ) ; 

input = new DataInputStream(connection.getInputStream( ) ) ; 

//Exchange public keys with the client-send yours, get theirs 
exchangeKeys ( ) ; 

//Send connection message to client 
message = connection. getLocalAddress ( ) 

. getLocalHost ( ) +" :Connection successful" ; 
byte [ ] ciphertext=Ciphers . RSAEncipherWSalt 

(message. getBytes ( ) , BigintegerMath. THREE, recipModulus, sr) ; 

//Send to the client 
output .write (ciphertext) ; 
output . flush ( ) ; 

//Enable disconnect button 
disconnectButton. setEnabled (true) ; 

//Messages may now be entered 
enterEield. setEnabled (true) ; 

try { 

//Read as long as there is input 

byte[] buffer=new byte [ciphertextBlockSize] ; 

boolean disconnectMsgSent=f alse ; 

while ( !disconnectMsgSent&&input.read(buffer) !=-l) { 
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//Decipher the bytes read in 
byte [] 

plaintext =Ciphers . RSADecipherWSalt (buffer, dec ipherExp, modulus) ; 
if (piaintext . length==l&&plaintext [0] ==0) { 
disconnectMsgSent=true; 
closeAll ( ) ; 

} eise { 

//convert to a string and display 
message = new Strlng(plaintext); 
dlsplayArea . append ( " \n" +message ) ; 

} 

} 

//Socket was closed from client side 
} catch (SocketException se) { 

//close connection and 10 streams, change some components 
closeAil ( ) ; 

} 

closeAll ( ) ; 

} 

} catch (Exception exc) { 
exc . printStackTrace ( ) ; 

} 

} 

Here is the closeAll() method. It puts a “Connection closing” string in the display area, 
then shuts down its 10 streams, then the socket. It turns off the message entry field, and 
disables the disconnect button. 

//Close socket and 10 streams, change appearance/ functionality of some components 
private void closeAll () throws lOExceptlon { 
dlsplayArea. append ("\nConnectlon closing") ; 
output . close ( ) ; 
input . close ( ) ; 
connection . close ( ) ; 

//Disable message entry 
enterFleld.setEnabled( false) ; 

//We are not connected-turn off the disconnect button 
disconnectButton. setEnabled ( false) ; 

} 

Of course, here is the main() method of CipherChatServer, which simply sets up the 
GUI, binds to a port for listening, then calls the go() method. 

public static void main (String [ ] args) throws lOException { 

CipherChatServer ccs=new CipherChatServer () ; 

CCS .addWindowListener ( 
new WindowAdapter ( ) { 
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public void windowclosing (WindowEvent e) { 
System. exit ( 0 ) ; 

} 

} 

) ; 

server = new ServerSocket ( 55555 ) ; 

CCS .go ( ) ; 
server. close ( ) ; 


} 


The client side of the chat program is pretty much the same, except it must initiate the 
connection with the server. Either the client or the server can break the connection, but the 
client must reinitiate, if desired. Figure 15.2 shows a screen shot of the client. 

It contains an area to type in the name of the server to connect to, and a button to con- 
nect. This button changes appearance once a connection exists; the label changes to “Dis- 
connect from server above.” The client also contains a field to type messages in, and an 
output area for incoming messages, and connection information. 

import java.lo.*; 
import j ava . net . * ; 
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import 3 ava . awt . * ; 
import j ava . awt . event . * ; 
import j ava . math . * ; 
import java. security ; 

public class CipherChatClient extends Frame implements ActionListener { 

The following are all the objects the client will need. They are: 

1. The graphical components for the chat window. 

2. The objects used for input and output. 

3. The networking objects required to establish a connection. 

4. The crypto objects to store the client’s public and private keys, and to store the public key 
of the server. Two variables record the length of the ciphertext, and the length of the 
plaintext. 

5. A Thread object. Since the client’s go() method (which just reads the input stream) can- 
not be called from the main method (since a connection may not yet exist), but is called 
from the actionPerformed() method, it does not exist in a separate thread from the frame. 
Thus, the read() method will block execution and won’t allow interactivity with the 
frame, unless it runs in a separate thread. (Note that the chat server does not have this prob- 
lem.) 

private TextField serverField=new TextField( ) ; 

private Button connectButton=new Button { "Connect to server above"); 

private TextField enterField=new TextField () ; 

private TextArea displayArea = new TextAreaO; 

private Panel top=new Panel ( ) ; 

private Panel bottom=new Panel ( ) ; 

private DataOutputStream output; 
private DataInputStream input; 

private String message=""; 
private String chatServer; 

private Socket connection=null ; 
private InetAddress clientName; 
private InetAddress serverName; 

private Biginteger p, g, modulus , dec ipherExp, recipModulus ; 
private SecureRandom sr=new SecureRandom ( ) ; 
private int ciphertextBlockSize; 
private int plaintextBlockSize ; 


private static Thread listener=null ; 
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The constructor does the typical thing for a GUI; it lays out all the components on the 
frame, and displays it. However, this constructor also produces the public and private keys 
of the client when it calls the makeKeys() method, which we will see later. 

public CipherChatClient ( ) { 

super ( "Cipher Chat Client"); 

//Establish keys for RSA cipher 
makeKeys ( ) ; 

//Lay out the components and display the frame 
setLayout (new GridLayout (2,1) ) ; 
top . setLayout (new GridLayout (3,1)); 
add (top) ; 

bottom. setLayout (new GridLayout (1, 1) ) ; 
add (bottom) ; 

connectButton.addActionListener (this) ; 
enterField.setEnabled( false) ; 
enterField. addActionListener ( this ) ; 
top.add(serverField) ; 
top.add(connectButton) ; 
top. add (enterField) ; 
bottom. add (displayArea) ; 
setSize (400 , 300 ) ; 
show ( ) ; 

} 

The client does a lot of work in its actionPerformed() method. The ActionEvents gener- 
ated here may mean more than one thing. The events are: 

1. The user hit enter in the message entry field, and wants to send the message. We send this 
message down the output stream the way we did for the server. 

2. The user pressed the connect/disconnect button. This can mean one of two things: 

a) We are currently connected, and the client wishes to disconnect. To disconnect, we 
must first send the terminate message 0 (enciphered) to the server. Then we call the 
closeAllO method, which closes the streams and sockets, and changes the appear- 
ance/functionality of components on the GUI. 

b) We are currently disconnected, and the client wishes to connect. To connect (or recon- 
nect) the client must attempt to establish a socket with the specified server, open its 
10 streams, exchange public keys with the server, and enable the message entry field. 
It then calls the go() method, which listens for input in a separate thread. 

All of these cases are handled here. 

public void actionPerformed (ActionEvent e) { 

Ob j ect source=e . getSource ( ) ; 

//Client pressed enter in the message entry field-send it 
if (source==enterField) { 
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//Get the message 

message=e . getActionCommand ( ) ; 

try { 

//Encipher the message 

if (message . length ( ) >plaintextBlockSize) 

message=message . substring ( 0 ,plaintextBlockSize) ; 
byte [ ] ciphertext=Ciphers . RSAEncipherWSalt 

(message. getBytes ( ) , BigintegerMath. THREE, recipModulus, sr) ; 

//Send to the server 
output .write (ciphertext ) ; 
output . flush ( ) ; 

//Display same message in client output area 
displayArea . append ( " \n" rmessage ) ; 
enterField. setText ( " " ) ; 

} catch (lOException ioe) { 

displayArea. append ("\nError writing message"); 

} 

else if (source==connectButton) { 

if (connection! =null) { //Already connected-button press now means disconnect 
try { 

//Send final message of 0 
byte[] lastMsg=new byte[l]; 
lastMsg[0] =0; 

output .write (Ciphers . RSAEncipherWSalt 

( lastMsg, BigintegerMath. THREE, recipModulus , sr) ) ; 
output . flush ( ) ; 

//close connection and TO streams, change some components 
closeAll ( ) ; 

} catch (lOException ioe) { 

displayArea. append ("\nError closing connection"); 

} 

} else {//Not connected-connect 

//Get name of server to connect to 
chatServer=serverField. getText ( ) ; 

displayArea. setText ( "Attempting connection to "+chatServer) ; 
try { 

//Set up the socket 

connection = new Socket (chatServer, 55555 ) ; 
displayArea . append 

( "\nConnected to: "+connection . getInetAddress ( ) . getHostName ( ) ) ; 

//Set up the TO streams 

output = new DataOutputStream (connection . getOutputStream ()) ; 
output . flush ( ) ; 
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input = new DataInputStream (connection. getInputStream {)) ; 

//Exchange public keys with the server-send yours, get theirs 
exchangeKeys { ) ; 

//Change appearance/functionality of some components 
serverFieid. setEditable ( false) ; 

connectButton. setLabel ( "Disconnect from server above"); 
enterField. setEnabied{true) ; 

//Set up a thread to listen for the connection 
iistener = new Thread { 
new Runnable ( ) { 

public void run() { 
go ( ) ; 

} 

} 

) ; 

iistener. start { ) ; 

} catch (lOException ioe) { 

displayArea. append ( "\nError connecting to "rchatServer) ; 

} 

} 

} 

} 

The makeKeysO method here is the same as the one in CipherChatServer. 

private void makeKeys ( ) { 

PrimeGenerator pg=new PrimeGenerator ( 513 , 10 , sr ) ; 
do { 

p=pg . getStrongPrime ( ) ; 

} while (p . subtract (BigintegerMath. ONE) .mod (BlglntegerMath . THREE) .equals 
(BigIntegerMath. ZERO) ) ; 

do { 

q=pg . getStrongPrime ( ) ; 

} while (g. subtract (BigintegerMath. ONE) .mod (BigintegerMath. THREE) .equals 
(BigintegerMath. ZERO) ) ; 
modulus=p .multiply (q) ; 

//Use 3 as enciphering exponent - OK since we are using salt 
dec lpherExp=Biglnt egerMath. THREE .modinverse (p . subtract (BigintegerMath. ONE) 
.multiply (q. subtract (BigintegerMath. ONE) ) ) ; 
ciphertextBlockSize= (modulus .bitLength ( ) -1 ) /8+1 ; 
plaintextBlockSize=ciphertextBlockSize-6 ; 

} 

The exchangeKeysO method here is the same as the one in CipherChatServer, except 
the client sends its key first, then waits for the public key of the server. 
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private void exchangeKeys { ) { 
try { 

output .write (modulus . toByteArray ( ) ) ; 
byte[] buffer=new byte[ciphertextBlockSize]; 
input. read (buffer) ; 

recipModulus=new Biglnteger(l, buffer) ; 

} catch (lOException ice) { 

System. err. println("Error establishing keys"); 

} 

} 

The go() method is where the client enters into a loop, listening for messages from its input 
stream. It then proceeds to read input; if the disconnect message 0 is sent from the server, 
or if there is no more input to be read, the client disconnects by calling its closeAll() method, 
which you will soon see. This method will be called whenever the client clicks on “Connect 
to server above.” 

private void go ( ) { 
try { 

//Read as long as there is input 

byte[] buffer=new byte [ciphertextBlockSize] ; 

boolean disconnectMsgSent=f alse ; 

while ( !disconnectMsgSent&&input. read (buffer ) !=-l) { 

//Decipher the bytes read in 

byte[] plaintext=Ciphers .RSADecipherWSalt (buff er, decipherExp, modulus ) ; 
if (plaintext . length==l&&plaintext [0] ==0 ) { 
disconnectMsgSent=true; 
cioseAil ( ) ; 

} else { 

//convert to a string and display 
message = new String (plaintext ) ; 
displayArea . append ( "\n"+message) ; 

} 

} 

} catch (lOException ice) { 

//Server disconnected-we can reconnect if we wish 

} 

} 

The closeAllO method for the client is similar to the one for the server. It closes its 10 
streams, then the socket. It ensures to set the socket to null, since this is how the client tests 
for a connection. The client then changes its button to say “Connect to server above” again, 
and shuts off the message entry field. 

//Close socket and 10 streams, change appearance/ functionality of some components 
private void closeAllO throws lOException { 
displayArea. append ("\nConnection closing") ; 
output . close ( ) ; 
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input . close ( ) ; 
connection. close ( ) ; 

//We are no longer connected 
connect ion=nul 1 ; 

//Change components 
serverField. setEditable (true) ; 

connectButton. setLabel ( "Connect to server above"); 
enterField.setEnabled( false) ; 

} 

Here is the main() method of CipherChatClient, which simply sets up the GUI. 

public static void main( String args[] ) throws lOException { 
final CipherChatClient ccc = new CipherChatClient ( ) ; 
ccc . addWindowListener ( 
new WindowAdapter ( ) { 

public void windowclosing (WindowEvent e) { 

System. exit ( 0 ) ; 

} 

} 


Note that this chat program makes no attempt to authenticate its users. That is, you don’t 
know if the person on the other end of the socket is actually whom he or she claims to he 
(without, perhaps, asking a few personal questions). To provide authentication, the keys 
would not be generated for each connection, but would already be on file with a Trusted Third 
Party, or TTP (see the chapter on cryptographic applications for discussion of a TTP). Each 
communicant can check the received public keys against this database. It would be virtu- 
ally impossible for a chatter to pretend to be someone else without knowledge of his or her 
decryption keys. (They certainly would have a hell of a time trying to carry on an intelli- 
gent conversation with you without being able to decrypt your messages!) 

EXERCISE 

Realistically, a chat program should function both as a multithreaded server, and a multi- 
threaded client. This would allow you to start your chat program and initiate connections 
with multiple chatters, while at the same time listening for connections from other chatters 
wishing to connect with you. Write an enciphered chat program with this capability, and use 
a cipher other than RSA. 


CHAPTER 16 

Cryptographic Applications 


The classical use of cryptography was to use it to pass secret messages between enti- 
ties. More recently, cryptography has shown its usefulness in many other ways. We will 
investigate some of these topics in this chapter. 

16.1 SHADOWS 

The Chinese Remainder Theorem has many important applications in cryptography. One of 
these applications is the protection of vital information from both disclosure (whether inten- 
tional or not), and from loss. Suppose there is a secret that must be protected from exposure. 
This might be done by giving separate individuals (who may not even know each other) a 
piece of the information. To retrieve it, everyone supplies his or her piece and the secret is 
recovered. However, if one of these persons dies, or if his piece of the information has 
become somehow inaccessible, we must be able to protect the secret from being lost. That 
is, we should require that any subset of these individuals (of a predetermined minimum 
size) be able to reconstruct the secret. CRT provides us with a way to do this. 

Let the secret be represented by N, a large integer. From this N we will construct a 
sequence of integers ^l, S2, ■ ■ ■ , s,., called “shadows,” and give them to r different individ- 
uals. We generate the shadows thus; Choose a prime p greater than N, and a sequence of pair- 
wise relatively prime integers not divisible by p, say nii, m2 , . . . , m, such that < m2 < . . . 
< m,., and such that 


mpn 2 . ■ .nv> pm,m,._i. . 

This last inequality says that if we take the smallest r' integers, their product must be 
greater than p times the largest r' — 1 integers. This implies that if M = mim2 . . . then 
MIp is greater than the product of any subset of r' — 1 integers from {mi, m2, . . . , m,}. 
Now, choose a random integer u < MIp — 1 , and let 

N' =N+up, 
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so that 0 < N' < M. This is so since 

0 <N' = N + up < p + up = (u + l)p < {Mlp)p = M. 

Now, this is how to produce the shadows, Si, S 2 , ■ ■ ■ , s,:, let Sj he the least nonnegative 
residue of N' (mod nij)', that is, 

Sj = N' (mod nij) 0<kj< nij, and i = 1, 2, . . . , r. 

In order to recover the secret N from the shadows, we will need at least r' of them, so 
say we have some subset of the shadows Sj^, Sj ^, . . . , ,}. Using CRT, we can find the least 

nonnegative residue of N' modulo Mj where M, = . . . nij Now, note that M < M, 

(since M = mpn 2 . . . m,., is the product of the r' smallest integers), and thus, since 

Q<N’ <M<Mj, 

the least nonnegative residue obtained by using CRT is in factN', the very integer we seek. 
We then recover the secret N by computing 

N = N' - up. 

However, if we have fewer than r' shadows to work with, we cannot determine N', and 
hence cannot retrieve the secret N. To see this, suppose we only have r' — 1 shadows 
. . . , — i- CRT allows us to determine the Inr (say z) of N' modulo M, where M, = 

mi , ,m: — 1 , and so we know that 

N' = z + yMi where y = 0, 1 , . . . , MIMi. 

Now, we know (by our choice of p and the moduli) that MIp is greater than any product 
of r' — 1 of the moduli, so since 

MIp > Ml 

we have 

MIMi > P- 

This tells us that as y traverses the integers smaller than MIMj, y takes on every value mod- 
ulo p, and so also does N', since N' = z + yMj and since Mi is relatively prime to p. (Recall 
that all of the moduli are chosen so that they are not divisible by p.) Thus, we cannot pin N' 
(and hence N) down to any value, because N' could be in any of the residue classes mod- 
ulo p. 


ZiixAMPLE. Suppose we want to hide the secret number N= 10 from prying eyes. (Of course, 
we are choosing an example with ridiculously small values so that you can readily observe 
how this works.) We choose a prime greater than the secret, say p =\\. Now, suppose we 
want to have r = 5 shadows, and we wish to be able to recover the secret N from at least r' 
= 3 of the shadows. We choose the moduli as 

rwj = 17 


m2 = 19 
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m 3 = 23 
= 24 
= 25. 

Note that none of the moduli are divisible by 11, and that the product of the 3 smallest 
moduli is greater than the prime p=\\ times the two largest moduli: 

M= 17 • 19 • 23 = 7429 >6600= 11 • 24 ■ 25. 

Now, we choose a random integer u smaller than M = 7429/11 = 675.36, say u = 439, 
and then we compute 

M' =A1+ M/7 = 10 + 439 • 11 =4839. 

The shadows are the least nonnegative residues of N' modulo each modulus m,. Thus, 

= 11 (mod 17) 

^2 = 13 (mod 19) 

^3 = 9 (mod 23) 

^4 = 15 (mod 24) 

= 14 (mod 25). 

Now, suppose we wish to reconstruct the secret N from any 3 of the shadows, say S 2 = 
13, S 3 = 9, and J 5 = 14. First we find N' using the Chinese Remainder Theorem, as follows: 

IV' = 13 ■ 575 • 575' + 9 • 475 • 475' + 14 • 437 ■ 437' 

= 13 ■ 575 • 4 + 9 • 475 • 20 + 14 • 437 • 23 

= 256114 

= 4839 (mod 10925) (10925 = 19 • 23 ■ 25) 

Once we have N' , we recover the secret N by taking 

N = N' - up 
= 4839 - 439 • 11 
= 10 . 

It doesn’t matter which 3 shadows we use to reconstruct N', any 3 will do, as you may 
like to verify. However, if we try to pull the secret N out of only 2 shadows, we should fail. 
Suppose we try to reconstruct N from Sj = 11, and S 4 = 15. We use CRT to form the quan- 
tity 

Al' = 11 ■ 24 • 24' + 15 • 17 • 17' 

= 11 • 24 ■ 5 + 15 • 17 • 17 
= 5655 

= 351 (mod 408). 
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TABLE 16.1 



This is, of course, an incorrect value for N' . We will see that if we try any other pair of 
shadows, a similarly hopeless situation results. Consult Table 16.1, which shows all the 
combinations of shadow pairs, and the corresponding values for A^'. 

None of the values obtained here for N' are correct. Because of the requirements in our 
choice of the moduli and the prime p, two shadows simply do not provide us with enough 
information to reconstruct N' (and thus N). 


Java Algorithm We can write programs to demonstrate shadow making and key recon- 
struction. To do this, we will define two classes; 

The ShadowBuilder Class This will define a constructor that will accept a master 
key, and the number of shadows to generate. It generates the shadows and their respective 
moduli, plus the values of u, and the prime p as described above. Methods are provided to 
retrieve all these values. This class exhibits some differences from the scheme described 
above. First, it sets the minimum number of shadows required for reconstruction at just over 
half the total number of shadows; for example, if the total number of shadows generated 
is 7, 4 of them will be required to recover the master key, and if 8 shadows are produced, 
5 will be required for reconstruction. Second, the class produces a sequence of prime num- 
bers for the moduli; these will certainly fulfill the requirement to be pairwise relatively 
prime. 

The KeyRebuilder Class This class is for recovering the master key. It will define a 
constructor that accepts some shadows and their respective moduli, plus the values of u and 
p. It assumes that enough shadows are being used, and that the moduli are pairwise relatively 
prime. It reconstructs the master key from the shadows using the Chinese Remainder The- 
orem, and provides a method to return the master key as a Biginteger. 
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The ShadowBuilder class definition follows: 

import j ava . math . * ; 
import java. security .* ; 
public class ShadowBuilder { 

//The shadows 
Biglnteger[] shadow; 

//The moduli 

//The i-th modulus is for the i-th shadow 
Biglnteger[] modulus; 

//Two other values needed to reconstruct the master key 
Biginteger randomMultiplier ; 

Biginteger reconstruct ingPrime; 

//This constructor accepts the master key, the number of shadows to 
//generate, and the tolerance to set for the primes. These will be 
//used for the moduli, rather than a set of pairwise relatively prime 
//integers. The minimum number of shadows required to reconstruct 
//is set at r/2+1. 

public ShadowBuilder (Biginteger K, int r, int primeTolerance) { 
int s=r/2+l; 

int KeySize=K .bitLength ( ) ; 

//Generate a probable prime reconstructingPrime larger than K 
SecureRandom sr=new SecureRandomO; 

reconstruct ingPrime=new Biginteger (KeySize+1 , primeTolerance, sr) ; 

//Generate r primes for the moduli 

modulus=new Biginteger [r] ; 

for (int index=0 ; index<r; index++) { 

modulus [index] =new Biginteger (KeySize+2 , primeTolerance, sr) ; 

} 

//Choose a random multiplier less than the product of any s of the primes. 
//This will be so if the bitlength is less than ( s-1 ) * (KeySize-1 ) . 
randomMultiplier=new Biginteger (s* (KeySize-1 ) -KeySize-1 , sr) ; 

//Compute KO=K+randomMultiplier*reconstruct ingPrime 

Biginteger K0=K. add (randomMultiplier .multiply (reconstructingPrime) ) ; 

//Generate the r shadows 

shadow=new Biginteger [r] ; 

for (int index=0 ; index<r; index++) { 

shadow [ index] =K0 .mod (modulus [index] ) ; 

} 

} 


//Methods to return the values the constructor generated. 



304 Chapter 16 Cryptographic Applications 


public Biglnteger[] get Shadows { ) { 

return shadow; 

} 

public Biglnteger[] getModuli ( ) { 

return modulus ; 

} 

public Biginteger getRandomMultiplier { ) { 

return randomMultiplier ; 

} 

public Biginteger getReconstructingPrime ( ) { 
return reconstruct ingPrime; 

} 


} 


Here is the KeyRebuilder class definition: 

import j ava . math . * ; 
public class KeyRebuilder { 


Biginteger masterKey; 


//This constructor reconstructs the master key from a sequence of shadows 
//and moduli. It is assumed that enough shadows are being used to do this. 

//It is further assumed that the moduli are pairwise relatively prime 
public KeyRebuilder {Biginteger [ ] shadow, Biginteger [] modulus, 

Biginteger randomMultiplier, Biginteger reconstruct ingPrime) { 

//Produce a parallel array for each Mi, product of ail mj where i!=j for CRT 
Biginteger)] M; 

M=new Biginteger [modulus . length] ; 

//BigM is the product of all the moduli 
Biginteger BigM=new Biginteger { "I" ) ; 
for (int index=0 ; index<modulus . length; index++) { 

//Multiply BigM by modulus [index] 

BigM=BigM. multiply (modulus [index] ) ; 

//Start forming each M[ index] 

M[index]=new Biginteger ( "1" ) ; 

for (int index2=0 ; index2<modulus . length; index2++ ) { 

//If index=index2 , do not multiply M[index] by m[index2] 
if ( index ! =index2 ) { 

M [ index] =M[ index] .multiply (modulus [index2 ] ) ; 

} 

} 

} 

Biginteger K0=new Biginteger ( "0" ) ; 

//Produce KO using the Chinese Remainder Theorem with the shadows 
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for (int index=0 ; index<modulus . length; index++) { 

Biginteger MInv=M[index] .modinverse (modulus [index] ) ; 

K0=K0 . add ( shadow [index] .multiply (M[index] .multiply (Mlnv) ) ) .mod(BigM) ; 

} 

//The master key is KO - tp where t is multiplier, p is reconstructing prime 
masterKey=KO . subtract (randomMultiplier. multiply (reconstructingPrime) ) ; 

} 

//Method to return the master key 
public Biginteger getMasterKey ( ) { 
return masterKey; 

} 


Figure 16. l(a)-(d) shows an applet (called TestShadow Applet) to test the ShadowBuilder 
and KeyRebuilder classes. 



FIGURE 16.1 


(a) 
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FIGURE 16.1 



(d) 



16.2 DATABASE ENCRYPTION 

The Chinese Remainder Theorem can also play a role in enciphering databases. It can be 
done so that a particular user only has access to their data. A database is a collection of 
records Ri,R 2 , . . . , R„. We can regard each record as an integer, for they are basically stored 
this way. 

We first choose a sequence Pi,P 2 ,- ■ ■ ,Pi, of distinct primes with /?, > R, for / = 1, 2, . . . , 
n. As the enciphered database we will use an integer C that is congruent to R, modulo /?, V 
i. Such an integer exists and is computable by the CRT. Let M = pj} 2 - ■ -Pn let M, = Mlpj 
for each i. Now, let w, = M,M', where M', is an inverse of M, modulo /?,. 

We compute the enciphered database as 

C = X wfii (mod M) 0 < C < M, ( = 1, 2, . . . , «. 

We call Wi, W 2 , . . . ,w„ the write subkeys of the database cipher, for these will be required 
to write to the database; that is, they are required to construct C. The moduli, however, pi. 
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P 2 , ■ ■ ■ , Pn are all that is needed to read a record from the database; thus, we call them the 
read subkeys. Note that C, by construction, is congruent /?, modulo pi for any i; that is, 

C = Ri (mod pi) i = 1, 2, . . . , n. 

Each individual i gets the pair of values w,, and p,; this gives them read/write access to 
only their data. 

Example. Suppose the records in our database are 

Ri = 234 
/?2 = 201 
R^ = 147. 

We choose 3 primes, each greater than their associated record; say 

Pi = 499 
P2 = 503 
P 3 = 563. 

To encipher the database, we must find an integer C that simultaneously solves 

C ^ 234 (mod 499) 

C = 201 (mod 503) 

C = 147 (mod 563). 

Thus, we compute 

M= 141311311 
Ml = 141311311/499 = 283189 
Mj = 141311311/503 = 280937 
M 3 = 141311311/563 = 250997. 
and we find inverses of each M, modulo p,. 

Ml' =283189' ^ 384 (mod 499) 

M 2 ' = 280937' ^ 350 (mod 503) 

M 3 ' = 250997' ^ 301 (mod 563) 

Thus, the write subkeys are 

wi = 283189 ■ 384 = 108744576 
W2 = 280937 • 350 = 98327950 
^3 = 250997 • 301 = 75550097. 


308 Chapter 16 Cryptographic Applications 


TABLE 16.2 



Using the write subkeys, we encipher the records by forming the sum 
C = Wi/?i + W 2 R 2 + W 2 R 3 

^ 108744576 ■ 234 + 98327950 • 201 + 75550097 • 147 
= 56316012993 
= 74111215 (mod 141311311). 

To retrieve a particular record 7?, from the database, we simply compute the least non- 
negative residue of C modulo /7,. Table 16.2 shows all the retrieved records. 

□ 

Editing a Record Note that modifying some record /?, to some new value R/ with this 
scheme is particularly easy, for it does not involve recomputing the entire sum 

C = X WjRi (mod M) 0 < C < M, i = I, 2, . . . , n. 

All we have to do is compute the difference between the new value and the old value: 

D = Ri' - Ri, 

then add this to the sum to get a new enciphered value for the database. 

C = C + WfD (mod M). 

This works because 

C ^C + WiD 

= -t W 2 R 2 + WjRi WfjRfj "t WjD 

= WiRi + W 2 R 2 H- . . . H- wfii H- . . . -H W„R„ + WiiR/ - Ri) 

= Wi/?! + W 2 R 2 + ■ ■ ■ + W/Ri — WjRi H- . . . H- w„/?„ + WjRi' 

= Wi/?! + W 2 R 2 + ■ ■ . + wfii' H- . . . H- w„R„ (mod M). 

-Example. Suppose in our previous example that individual 2 wishes to change 

R 2 = 201 

to the new value 


R 2 ' = 103. 


16.3 Large Integer Arithmetic 309 


TABLE 16.3 



We compute the difference 

£) = 103 - 201 = -98 

and form the modified sum 

C ^ 74111215 + 98327950 ■ (-98) ^ -9562027885 ^ 47141263 (mod 141311311). 

To verify that this works see Table 16.3, in which we have once again recovered the 3 
records. 


.3 LARGE INTEGER ARITHMETIC 

CRT provides us with a particularly novel way to do arithmetic with very large nonnega- 
tive integers. We usually represent numbers using a single radix, like 

4231 = 4 • 10^ -H 2 • 10^ -H 3 ■ 10' -H 1 • 10“ 

or 

100011tase2 = 1 ■ 2^ H- 0 ■ 2^^ H- 0 • 2^ -H 0 • 2^ H- 1 • 2' H- 1 ■ 2“. 

The Chinese Remainder Theorem tells us that the representation of an integer x such that 

X ^ ai (mod m^) 

X = 02 (mod m 2 ) 


X = (mod m„), 

where the moduli are pairwise relatively prime, is unique modulo M = mi«i 2 . . . m„. Thus, 
we can either represent x in its “composed” representation, or in its “decomposed” repre- 
sentation. Using multiple moduli to represent an integer in this way is called a mixed radix 
system, or a residue number system. 
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I£xAMPLE. Take the integer 73, and note that 

73 ^ 9 (mod 64) 

73 ^ 19 (mod 27) 

73 ^ 23 (mod 25) 

73 ^ 24 (mod 49). 

We can thus represent the integer 73 as the vector 

(9, 19, 23, 24) 

where the moduli are here understood to be 64, 27, 25, and 49. There is no other positive 
integer less than M = 64 ■ 27 • 25 • 49 = 2116800 that is represented by this vector. In fact, 
every integer between 0 and 2116799 has a unique such representation. 

This motivates us to consider perhaps representing integers in this way; we can do arith- 
metic with such integers by instead doing the arithmetic with their smaller residues. 

□ 

I£xAMPLE. We take now the integer 1907833, and note that 

1907833 = 57 (mod 64) 

1907833 ^ 13 (mod 27) 

1907833 ^ 8 (mod 25) 

1907833 ^ 18 (mod 49). 

Using this representation, and the representation of 73 given earlier, we can then com- 
pute 1907833 — 73 by computing 

57 - 9 ^ 48 (mod 64) 

13-19= -6^ 21 (mod 27) 

8 - 23= -15 ^ 10 (mod 25) 

18-24= -6^43 (mod 49) 

This gives the vector 

(1,4, 9, 40) 

which is, in fact, the decomposed representation of 1907760 = 1907833 — 73. Taking the 
Inr of 1907760 modulo, each of the moduli easily checks this. We can multiply, add, and sub- 
tract (as long as the result of the subtraction is nonnegative) with numbers as large as 
M — 1 = 2116799 using this mixed radix representation. This works because of propositions 
20 and 21. 

□ 


16.3 Large Integer Arithmetic 311 


But why should we do this? There are two good reasons: 

1. We can reduce arithmetic with very large integers to arithmetic with much smaller inte- 
gers. If we choose the moduli carefully, we can arrange it so that none of the integers 
exceeds the word size of our computer. Thus, we can work quickly with a language’s prim- 
itive integer type. Integer need to he converted to and from their “large” representation 
only for input and output purposes. 

2. The arithmetic operations with the decomposed representation are completely indepen- 
dent of each other, so they can be done in parallel, significantly reducing operation time 
on multiprocessor machines. This is not true with arithmetic using normal radix repre- 
sentation. 

The IntCRT Class This class represents nonnegative integers as a series of residues 
modulo a series of moduli, where the moduli are all unique primes. It adds/multiplies two 
IntCRT objects together by adding/multiplying their residues together. The moduli are all 
primes not exceeding the largest value for a Java int, and hence the residues do not exceed 
the maximum int value either. This allows us to implement the moduli and residues as dual 
arrays of primitive type long (we use long since a multiplication of two residues may exceed 
the maximum int value). Here is an outline of the IntCRT class, with descriptions inter- 
spersed with the code. 

import 3 ava . ut i 1 . * ; 
import j ava . math . * ; 
public class IntCRT { 

IntCRT objects will consist of 

1. The moduli, which are stored in a static array of type long. Once they are set up, they are 
used by all subsequently declared IntCRT objects. Since they use the same moduli, they 
must all specify the same maximum modulus bit length (the bit length of the product of 
all the moduli) to be added or multiplied together. 

2. The residues, which are the corresponding residues for each modulus. 

3. A variable to record the maximum modulus bit length. 

//IntCRT objects are based on a series of ints modulo a series of long primes 
//The primes are stored here in this static array-all IntCRT objects will share 
this array 

static long[] moduli=null ; 

//A parallel array of residues for each IntCRT object holds its mixed radix 

representation 

long[] residues=null; 

//The maximum size of the modulus - computations must not exceed this modulus 
int maxModulusBitLength=0 ; 
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There is a single public constructor, which reads in a string of digits, and parses it as a 
Biginteger, say n. If this is the first IntCRT object created, we must set up the moduli. We 
begin with the largest odd primitive int value, and test it for primality. If it succeeds, we add 
it to the moduli, and if not, we subtract two from this number and continue in the same way 
until we have a product of moduli whose bit length exceeds the maximum modulus bit 
length specified in the constructor. We then produce the residues by taking the Biginteger 
n modulo each modulus. We convert each residue to a primitive long. Do not be concerned 
that we use the Biginteger class here (it seems like cheating). We only use it for input/out- 
put purposes. The addition/multiplication of IntCRT objects (the bulk of processing time for 
crypto purposes) will be done entirely with the primitive type residues. 

//This constructor produces the residues from the string of decimal digits 
//Also produces the prime moduli 

public IntCRT (String digitstring, int maxModulusBitLength) { 

//If modulus<=64 bits, we might as well be using ints 
if {maxModulusBitLength<65 ) throw new IllegalArgumentException 
("The maximum modulus bit length must be at least 65 bits"); 
this .maxModulusBitLength=maxModulusBitLength; 

//If the prime moduli are not yet set up, set them up 
if {moduli==null) setupModuli ( ) ; 

//The residues are long, but each will be no larger than an int 

//This is because multiplication of residues may exceed the size of an int, 

//requiring a long to store 

residues=new long [moduli . length] ; 

//Get the string and make it into a Biginteger; Biginteger only used for 10 
//conversions, 

//not for calculations 

Biginteger n=new Biginteger (digitstring) ; 

if (n. compareTo (BigIntegerMath. ZERO) <0 ) throw new IllegalArgumentException 
("IntCRT objects must be nonnegative."); 
if (n .bitLength ( ) >=maxModulusBitLength) throw new IllegalArgumentException 
("IntCRT objects must be less than maximum modulus bit length = " 
+maxModulusBitLength+" . " ) ; 

//Make each residue 
for (int i=0 ; i<residues . length; i++ ) 
residues [i] =n.mod (Biginteger .valueOf (moduli [i] ) ) . longValue ( ) ; 

} 

//Private constructor to make IntCRT object by passing in residues 
private IntCRT ( long [] residues) { 
this . residues=residues ; 

} 
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//Set up the prime moduli 
private void setupModuli ( ) { 

//Don't know how long array should be-start with a Vector 
Vector vector=new Vector (); 

Biginteger two=BigInteger .valueOf (2 ) ; 

//Start with the largest possible int-this is an odd number 
Biginteger test=Biglnteger .valueOf ( Integer .MAX_VALUE) ; 

//bigBubba will be the product of all the primes 
Biginteger bigBubba=BigInteger .valueOf (1) ; 

//When this product is big enough (has long enough bit length) we have enough 
//primes 

while (bigBubba .bltLength () <maxModulusBitLength) { 

//If test is prime, add it to the vector, and multiply bigBubba by it 
if (test . isProbablePrime (10 ) ) { 
vector .addElement (test) ; 
bigBubba=bigBubba. multiply (test) ; 

} 

//Subtract two from the test number-test is always odd 
test=test . subtract (two) ; 

} 

//We know the size of our array of primes-create the array 
moduli=new long [vector . size ()] ; 

//Copy the prime moduli into the array 
for (int i=0 ; i<vector . size ( ) ; i++) 

moduli [i ] = ( (Biginteger ) vector . elementAt ( i ) ) . longValue ( ) ; 

} 

The addition and multiplication methods follow. Note that the work is done entirely with 
primitive types. The code is not written to do these operations in parallel; however, this 
would be a great exercise for you. 

public IntCRT add(IntCRT other) { 

//IntCRT objects must be using the same moduli 
if (maxModulusBitLength! =other .maxModulusBitLength) throw new 
111 egal Argument Exc ep t i on 

("IntCRT objects must have same maximum modulus bit length to be added together"); 
long[] answer=new long [residues . length] ; 

//Add i-th residue of this to i-th residue of other, take residue mod i-th 
//moduli 

for (int i=0 ; i<residues . length; i++) 

answer [i] = (residues [i] +other . residues [i] ) %moduli [i] ; 
return new IntCRT (answer); 


public IntCRT multiply ( IntCRT other) { 

//IntCRT objects must be using the same moduli 
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if (maxModulusBitLength ! =other .maxModulusBitLength) throw new 
1 1 1 ega 1 Argument Exception 

("intCRT objects must have same modulus bit iength to be multiplied together"); 
iong[] answer=new iong [residues . iength] ; 

//Multiply i-th residue of this by i-th residue of other, may produce a long 

//Take residue mod i-th moduli 

for (int i=0 ; i<residues . length; i++ ) 

answer [1] = (residues [i] *other. residues [i] ) %moduli [i] ; 
return new IntCRT (answer ) ; 

} 

The toStringO method takes the residues and moduli, and “recomposes” the Biginteger 
using the solveCRT() method from the BigIntegerMath class. We then convert it to a string 
by calling the toStringO method from the Biginteger class. 

public String toStringO { 

//Make an array of Bigintegers for each modulus 
Biginteger [] m=new Biginteger [moduli . length] ; 

//We reconstruct a Biginteger from the residues by using the Chinese Remainder 
/ /Theorem 

for (int i=0 ; i<moduli . length; i++ ) m[i] =BigInteger.valueOf (moduli [i] ) ; 

//Make an array of Bigintegers for each residue 
Biginteger [] r=new Biginteger [residues . length] ; 

for (int i=0;i<residues. length; i++) r [i ] =BlgInteger .valueOf (residues [i] ) ; 
//Reconstruct the Biginteger and return it as a string 
Biginteger whopper=BigIntegerMath. solveCRT (r ,m) [0] ; 
return whopper . toString ( ) ; 

} 

}//End of IntCRT class 

Figures 16.2, 16.3, and 16.4 are shots of TestIntCRTApplet. 



FIGURE 16.2 
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FIGURE 16.3 





16.4 RANDOM NUMBER GENERATION 

Many cryptosystems depend on the ability to generate random numbers, where random 
means in the sense that the values could not be easily predicted by an adversary. Perhaps sur- 
prisingly, this is difficult to do in practice. Without special hardware, a computer cannot 
truly generate random numbers; they can merely produce what we call pseudorandom num- 
bers based on some deterministic mathematical algorithm, and an initial number called a 
seed. If either the seed or the transformation is not chosen carefully enough, an adversary 
can predict, to a high degree of accuracy, the pseudorandom numbers produced. 

CExAMPLE. Conventional random number generators are insufficient for protecting the secrecy 
of the numbers they generate. An example is a linear congruential generator, which pro- 
duces a sequence Xj, X 2 , ... of pseudorandom numbers given by the affine transformation 


x„ = flx„_i + b (mod m) n > 1, 0 < x„ < m. 
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The values a, b, and m are parameters which define the generator; Xq is the seed which 
generates the sequence. If any of these values are compromised, or can be guessed, this 
generator cannot produce unpredictable numbers. It turns out that with this particular trans- 
formation, this is rather easy to do; given a partial sequence of these random numbers, the 
rest of the sequence can often be constructed even when a, b, m, and Xq are unknown. 


It should come as no surprise that many of the same transformations that we use to 
encrypt data can also be used to generate random numbers. After all, the purposes of dis- 
guising messages and the purposes of disguising the previous numbers and the seed in a 
sequence of pseudorandom numbers are very similar. A random number generator able to 
produce integers that cannot be predicted by an adversary are suitable for cryptography; 
these are called cryptographically secure pseudorandom bit generators (CSPRBG). Descrip- 
tions of two such generators follow; the first resembles Rabin, while the second resembles 
RSA. 

Blum-Blum-Shub Pseudorandom Bit Generator To generate pseudorandom 
numbers or bitstreams; 

1 . Choose two secret strong primes, p and q, both congruent to 3 modulo 4. Form n = pq. 
Choose j as a positive integer not exceeding log 2 (log 2 n) 

2 . Select a random integer seed s such that 

• 2< s <n 

• s and n are relatively prime. 

Compute Xg = the Inr of modulo n. 

3 . Repeat for as long as desired: 

• Compute X, = the Inr of x,_i^ modulo n. 

• Let Zi be the j least significant bits of x,. 

4 . The output sequence is Zi, Z 2 , Z 2 , ■ ■ ■ ■ 


iZMxAMPLE. For this example we will use small primes; in reality, we must use large, strong 
primes. Suppose we choose p = 11351, q = 11987. So n = 136064437. We compute j as 4, 
the largest integer not exceeding log 2 (log 2 («)) = 4.75594, and we will select as our seed 
s = 80331757. We wish to generate a stream of 2 blocks, each of bit length 4; we compute 
the values 


80331757^ ^ 131273718 (mod 136064437) 
jcj ^ ^ 131273718^ ^ 47497112 (mod 136064437) 

Zi = 47497 112= 8 = lOOOgase 2 (mod 2‘*') (the 4 least significant bits of Xi) 
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X 2 ^ ^ 47497112^ ^ 69993144 (mod 136064437) 

Z 2 = 69993144 = 8 = 1000|,ase2 (mod 2'*) (the 4 least significant bits of X 2 ) 

The final “random” bitstream produced is 

10001000 . 

Admittedly, it isn’t much to look at. We need to generate a much larger stream, and will 
do so in the next example. 

□ 

Example. Here we produce a much longer stream of 100 blocks, each of bit length 4. We 
will use exactly the same parameters p = 11351, q = 11987, n=pq= 136064437, y = 4, and 
the seed s = 80331757. 


1000 

1000 

0101 

1111 

1110 

0101 

1101 

0001 

0000 

0000 

0000 

1000 

1100 

1101 

0001 

0101 

0110 

1010 

1110 

0110 

0110 

0000 

1011 

0011 

1000 

1010 

1100 

1010 

0000 

1101 

1110 

0100 

0111 

1111 

1010 

0000 

1011 

1001 
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1000 
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0001 

0000 

0101 

0011 
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0111 

0011 
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0111 
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0010 

1111 

1111 

1100 

0110 

0001 

0011 

1110 

0111 

0001 

1111 

0010 

1111 

1100 

1011 

0011 

1111 

1111 

1110 

1010 

1000 

1001 

0111 

0111 

0010 

0100 

1001 

0010 


1100 

You may wish to check these values, or write a program to check them. (I recommend 
the latter.) 

□ 

The CSPRBC Class I have designed a class which implements the Blum-Blum-Shub 
algorithm for generating random bitstreams. For convenience, the modulus n = pq will be 
fixed at 1025-1026 bits. Using this bit length for n, we should choose no more than 10 of 
the least significant bits after each squaring. For convenience again, we will choose the 8 
least significant bits, allowing us to easily place them in a byte array using the method fill- 
Bytes(). We can also retrieve a single byte using the getRandomByte() method. The code 
for the CSPRBG class follows. 

import j ava . math . * ; 
import java. security ; 
public class CSPRBG { 

Biginteger p, q, n, seed; 
public CSPRBG (byte [ ] seed) { 

this . seed=new Biginteger (seed) ; 

if (this . seed. bitLength () <515) throw new 

lllegalArgumentException ( "Seed too small"); 

SecureRandom sr=new SecureRandom (seed) ; 

//Use a SecureRandom object to get the strong primes 
PrimeGenerator pg=new PrimeGenerator (513 , 16, sr) ; 
do {p=pg . getStrongPrime ( ) ; } 
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} 


while ( ! p .mod (BigIntegerMath. FOUR) .equals (BigIntegerMath. THREE) ) ; 
do {q=pg. getStrongPrime ( ) ; } 

while ( ! q. mod (BigIntegerMath. FOUR) .equals (BigIntegerMath. THREE) ) ; 
n=p. multiply (q) ; 

} 

//Fills an array of bytes with random data 
public void fillBytes (byte [ ] array) { 
for (int 1=0 ; i<array . length; i++ ) { 

//Seed is continually squared 
seed=seed. multiply (seed) .mod(n) ; 

//Least significant byte of residue is the i-th random byte 
byte b=seed.byteValue ( ) ; 
array [ i ] =b ; 

} 

} 

//Returns a single byte of pseudorandom data 
public byte getRandomByte ( ) { 

seed=seed. multiply (seed) .mod(n) ; 
return seed.byteValue ( ) ; 



Figures 16.5, 16.6, and 16.7 are screen shots of the test applet (TestCSPRBGApplet). 
You first enter a seed as a large integer, then press the button repeatedly to get random bytes, 
which are displayed as decimal integers in the range — 128 thru 127. 


Micali-Schnorr Pseudorandom Bit Generator To generate pseudorandom num- 
bers or bitstreams: 

1. Choose two secret strong primes, p and q, and form n = pq. 

Let N equal the bit length of n. 
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FIGURE 16.6 
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FIGURE 16.7 



Choose an exponent e such that 

• \<e<(p - 1)(^ - 1) 

• e is relatively prime to (p — l)(q — 1) 

• 80 e<M 

Let k be the largest integer not exceeding N(l — 2/e). 

Let r = N — k. 

2. Select a random seed Xg of bitlength r. 

3. For i = 1 , to Z do: 

• Compute y, = the Inr of x,-!® modulo n. 

• Let X; be the r most significant bits of y,. 

• Let z, be the r least significant bits of y,. 

4. The output sequence is Zi, Z 2 , Z 3 , ■ ■ ■ , Zz- 

The numbers z, may not be large enough for an application’s purposes; in this case, one 
concatenates as many of the numbers together as necessary to form a sufficiently large inte- 
ger. 
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16.5 SIGNING MESSAGES 

Signing messages is a concept which arose with public key cryptography. When you receive 
a message encrypted with your public key, how do you know the message is from whom 
claims to have sent it? After all, your encryption keys are public, and so anyone can encrypt 
messages to you. Signing is a way for the sender to modify the message in a way that could 
only be done by her. 

Each public key scheme usually defines a method to perform signing. Sometimes the 
signing closely resembles the enciphering mechanism, but often it does not. We will first 
cover signing with RSA, the first system to propose this concept. 

Signing with RSA Suppose individual A wants to send a message P to individual B 
using RSA in such a way so that B knows the message could only have come from individual 
A. Suppose A uses the RSA modulus n = pq, and the exponents e and d, while individual B 
uses n* =p q* , and the exponents e and ct . Of course, neither party knows the other’s pri- 
vate key. Individual A does the following: 

1 . Individual A computes 

Ci= (mod n) 

using her decryption exponent. (No one else can do this if A is protecting her private 
key.) 

2. If Cl > n , it is necessary for A to separate Ci into blocks before applying the transfor- 
mation 

C ^ Cl"* (mod n ) 

and form the final ciphertext to send to B. 

To decrypt the message sent by A, B does the following: 

1 . B decrypts the message C by applying 

Cl = (mod n) 

to regain Ci. 

2. B then computes 


P = Cl" (mod n) 

using A’s public information to recover the plaintext. 

Actually, it isn’t necessary for A to encrypt the message a second time using B’s public 
information if she isn’t concerned with who reads the message. B could simply decrypt 
with A’s public key to retrieve the plaintext. However, anyone else could do the same thing. 
If privacy (in addition to integrity) is an issue (and it usually is), both transformations are 
involved. 

Is this all there is to it? No. Establishing one’s identity couldn’t possibly be this easy. For 
example, is it possible someone could publish his or her public key values using someone 
else’s identity? If this is not regulated in some way, the answer is yes. Most public key 
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schemes in use provide a mechanism by which individuals must establish their identity with 
an entity called a “Trusted Third Party” or TTP, when publishing their keys. If necessary, 
these TTPs can establish that the individual using a certain set of keys is actually the per- 
son he or she claims to be. The TTP does not need to know anyone’s private keys to do this. 


I£xAMPLE. For simplicity’s sake, we will use small parameters, and so that blocking will 
not be an issue, we will arrange it so that n < n . 

Suppose individual A (the sender) chooses p = l and q = 19, so that n = 133. Individual 
A chooses e = 5 as the encryption exponent, and computes d = e' = 5' = 65 (mod 108). 

Individual B (the recipient) chooses p* =\\ and q* = 23, so that n = 253. Individual B 
chooses e = 9 as the encryption exponent, and computes r/ = e' = 9' = 49 (mod 253). 

A wishes to send the message P = 93 to B with a signature. Individual A first computes 

Cl ^ 93“ ^ 4 (mod 133) 

No one else can do this because A’s decryption exponent is private. Individual A then 
encrypts using B’s public encryption exponent and modulus: 

C ^ 4® ^ 36 (mod 253). 

This is the final ciphertext, which is sent to B. Cl is first recovered by decrypting with 
B’s private decryption exponent: 

36^9 ^ 4 ^ Cl (mod 253). 

No one can do this except B, and so privacy is assured. Finally, B uses A’s public expo- 
nent and modulus to recover the plaintext P: 

45 ^ 93 = P (mod 133). 

□ 

Java Algorithm Writing the methods to sign with RSA in this way are easy since most 
of the work has already been done. The methods to do this (from the Ciphers class) follow. 

public static bytel] RSAEncipherSigned ( 
bytell msg, 

Biginteger dSender, 

Biginteger nSender, 

Biginteger eRecip, 

Biginteger nRecip, 

SecureRandom sr) { 

return RSAEncipherWSalt 

(RSAEncipherWSalt (msg, dSender , nSender , sr) , eRecip, nRecip, sr) ; 

} 

public static bytel] RSADecipherSigned ( 
bytell msg, 

Biginteger dRecip, 

Biginteger nRecip, 
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Biginteger eSender, 
Biginteger nSender) { 


return RSADecipherWSalt (RSADecipherWSalt (msg, dRecip, nRecip) , eSender , nSender) ; 

} 


Of course, the variables eSender, dSender, and nSender refer to the message sender’s 
key information, while eRecip, dRecip, and nRecip refers to the recipient’s keys. Note that 
neither the sender nor the recipient needs to know the other’s private info for message 
exchange. Also, note that enciphering is an application of RSAEncipher( ) twice, first using 
the sender’s private exponent, then using the recipient’s public exponent. It is done this way 
so that padding and blocking issues will be handled correctly. Because of the symmetric 
nature of the RS A enciphering and deciphering transformations, this works. Likewise, deci- 
phering involves applying RSADecipher( ) twice with different exponents. You will find that 
writing methods to sign using other algorithms won’t be quite so easy. 

Following is the output of a simple console program TestRSACipherSigned. The code 
can be found on the book’s website: 

Plaintext message: 

Little Willy Willy won't GO HOME! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 

Sender ' s keys : 


n=477823 173 909498405997193 614062 827870319711697063408892 05910 600511651090 
1324842762783453285232353074783464254995516764280738329563279965438228948 
9280441812866482827362912397521119899724567407854726573606946785783804821 
1490867893827447459512197749446350191839654657188532964841056340856133204 
8607351598198101709 

e=83 3 12 974 644 643 859 9 03 2 67 94 683 47 081594 85 647 8 58 62 51792 12 4 85115 61 6222 2 872 37 
1938788281455011764149010812987977689838516046837523319281290153766339312 
0677513551158027200673951042206830189406463160246696648959448501005242846 
6888908193934245905541876379902315861267261663565682552051628101445975498 
10696099572097327 

d=4 6 84 83 8 91 642 423 3 02 2 5 071449 66 6 604 63 74 112 2 47 13 7 99 115112 04 06092 72 7 0149 9 82 6 
8502130258770328850822705030787904612308076555045283496664108139377795438 
1875804833671832013034092429080034687115183115320067520484468472483902330 
5828867419996923021611059513161144563449042171090062883791376144836807314 
5108476860945640143 


Recipient's keys: 

n=4003 006489013 1045556164143 9066399772 1027813942 65593 84091698962 93 40257 81 
2870529067795493232933422841793524046547588390029559846808892299192424339 
2777303590896263511254432673090184816373225509026440453562416752000207951 
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9356433725290818322063237477659539960679619018282576265414797224176810239 

4461794720293192639 

e=10738975467716313 01622 6411982 6160633 7509 693 528009697337882 0148373901000 
0377470313772198875565203421763473641679025697618732906800200949388901714 
4337965064160547094535922354431198904536464821168309068889027430457499760 
1091047270120113110989646463412317973823604744394241847030235719949845268 
584917833408071651 

d=3 412 0427 819749 165542 2 58 873 63 06802 43 843 8852 069 12 3 93 3 9 52 9 17 0473 057 523 5416 
8499010091359026204518569891972265492221968149078409284214574471096638649 
6508925391380739896819274937783290922865761442395151744157771365693061239 
9916291158832430035510226908257536825863178385774457780384766899733604450 
9358887363459579267 


Doubly enciphered signed message: 

tii... ??-aui ? (dRc (uSIs«Uaa6R.K>; D . >Dyf SE-iC9BDicd_0T»%i6? { DceW9'Q 
ny2?A?4ut/CH3 06U 
□Au?)UjA™<R-l@0A 

£uDu“{euU\±by|©D-R,UeYpL0a?SuDD6DiE6s22!H^''O®KPD- E) 'Oa^-Vi 
ekuDoDyuf" — pDu prDmy 9®/+ acel«%Q-'lIv^yDE=uu- . Zce™7S- 

Nqp-?±D_?wy2fuY5eoeDDp M6iEDx®=z }©xAGDan®BDD " Ya yDac 
Dt™l 

Doubly deciphered signed message: 

Little Willy Willy won't GO HOME! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 


Signing with Rabin Rabin signatures are simple to produce. Suppose individual A 
wants to send a message P to individual B using Rabin in such a way so that B knows the 
message could only have come from A. Suppose A uses the Rabin modulus n = pq, while 
B uses n =p q*. (The primes involved now are all congruent to 3 modulo 4, as required by 
Rabin.) Of course, neither party knows the other’s private key. A does the following: 

1. A computes a square root of P modulo n (if P has such a square root); that is, she com- 
putes a value, say Cj, such that 


Ci^ = P (mod n). 

This transformation can produce up to four roots; it doesn’t matter which root she chooses. 
(No one else can do this if A is protecting her primes p and q, as computing a square root 
modulo n without its prime factorization is an intractable problem.) 

Note that a particular message may not have a square root modulo n. The sender 
must salt the message (or salt each block) in such a way that the salted result has a square 
root modulo n. This isn’t difficult, because the odds of some random integer having a 
square root modulo n is quite likely. The amount of salt to use for this purpose is agreed 
on beforehand. 
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2. If Cl > « , it is necessary for A to separate Ci into blocks, and add redundancy before 
applying the transformation 

C = Ci^ (mod n*) 

and form the final ciphertext to send to B. 

To decrypt the message sent by A, B does the following: 

1. B decrypts the message C by sending it through his decryption machine to regain Ci. That 
is, it computes the square roots of C modulo n . If redundancy was added at the proper 
point, his decryption machine can determine the correct root congruent to Ci out of the 
four possible roots calculated. 

2. B then computes 

P = Ci^ (mod n) 
using A’s public modulus to recover the plaintext. 

Once again, the enciphering and deciphering transformations are used not only to ensure 
that the message was from the sender, but also to ensure that no one other than the intended 
recipient can decipher it. 

HXAMPLE. For simplicity’s sake, we will use small parameters. Suppose individual A (the 
sender) chooses p = 10259, and q = 10739, so that n = 110171401. Individual B (the recip- 
ient) chooses p = 10691, and q* = 11351, so that n = 121353541. Note that all primes are 
congruent to 3 modulo 4. (There is a table in the appendices listing all primes less than 
12000, plus their Inr’s modulo 4.) 

A wishes to send the message P = 1696082 to B with a signature. This message may not 
have a square root modulo n. A first checks this, and discovers that it does not; so by adding 
salt (just a single digit will do here), she eventually obtains a value that has a square root; 
namely, 

P' = 16960824 

A then computes the square roots of 16960824 modulo 110171401. B does this by com- 
puting 

^ = ±P*'P'^^'‘^qq^, ± P^‘^*^^'*ppq, (mod n) 

where q^, is an inverse of q modulo p, and p^, is an inverse of p modulo q. The values desired 
are 


p^, = 1320 
qp, = 8998 

This yields the four roots 

X ^ 50253700 (mod 110171401) 
jc ^ 40866715 (mod 110171401) 
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X ^ 59917701 (mod 110171401) 

X ^ 69304686 (mod 110171401). 

No one else can do this since only A knows the values of p and q. A selects one of these 
roots (it doesn’t matter which), say x = 59917701. To compute the final ciphertext, it is nec- 
essary that A reblock the text and add redundancy so that B’s decryption machine can select 
the correct root out of the four possible roots generated by the decryption transformation. 
Thus, the message is split into 

xi = 59915991 
X2 = 77017701 

A then encrypts using B’s public modulus: 

Cl = 5991599P ^ 20072206 (mod 121353541). 

Cj ^ 77017701^ = 11711668 (mod 121353541). 

This is the final ciphertext, which is sent to B. To recover the plaintext, B must first solve 
for the square roots of Ci and C 2 modulo 121353541: 

X = ± (mod n*) 

where q*pt., is an inverse of q* modulo p*, and p*^*, is an inverse of p* modulo q*. The val- 
ues desired are 


= 2253 
q*p*. = 8569 

This yields the four roots for Cp 

X ^ 36623739 (mod 121353541) 

X ^ 61437550 (mod 121353541) 

X ^ 84729802 (mod 121353541) 

^ X = 59915991 (mod 121353541). 

Since the last root is the one possessing redundancy, it is chosen as the correct root. The 
redundancy is discarded to yield Xj = 5991. It is highly unlikely that another root will pos- 
sess this redundancy (especially if we use large redundant blocks). 

The four roots for C 2 are: 

X ^ 28117593 (mod 121353541) 

X = 44335840 (mod 121353541) 

X ^ 93235948 (mod 121353541) 

^ X ^ 77017701 (mod 121353541) 
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It so happens that the last root is again the correct one. The redundancy is discarded to 
give X 2 = 7701. Since no one can do this except B, privacy is assured. Finally, B reforms the 
message x = 59917701 and uses A’s public modulus to recover the plaintext P' (with salt): 

59917701^ ^ 16960824 ^ P' (mod 133). 

The salt is removed, and the plaintext is regained: 

P = 1696082. 


16.6 MESSAGE DIGESTS 

A message digest is basically a fixed-size compressed version of an arbitrary length mes- 
sage. This compression is done by way of something called a digest function, which is really 
a special type of hash function. 

You have probably heard the term hash function before, for we use them when we con- 
struct hash tables. A hash table is a way of storing data so that it can be retrieved very 
quickly. The hash function maps a data item to an index in a table; a “good” hash function 
is one that very rarely maps two different data items to the same index. This property is 
known as collision resistance. 


I£xAMPLES. Suppose we represent the data as large integers, and suppose the hash function 
is defined as 

h{x) = Inr of x modulo 2®'*. 

Thus, the hash value is merely the trailing 64 bits of the binary representation of x. If the 
data items are evenly distributed, this may be a suitable mapping for a hash table. 

For example, if x = 200900995406429488306921947010403054300, then 

h(x) = 12493796564522152668 

^ 200900995406429488306921947010403054300 (mod 2^) 

or 

/z(x)=1010110101100010111000011100011111001100010101101011001011011100base2- 

However, since data are rarely evenly distributed, we might choose a hash function such 
as this one: 


g(x) = Inr of X modulo p 

where is a large prime. Since any message x not divisible by p will be relatively prime to 
p, an overabundance of messages having the same trailing digits will tend to be spread out 
among the range of hash values. 


Most of these “classical” hash functions are not suitable for cryptography, however. For 
reasons which will become apparent, a hash function, say h, used to produce message digests 
must also satisfy the following properties: 
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Definition 

A hash function his a digest function if it satisfies all of the following properties: 

1. Given a hash value h(m), it must he extremely difficult to determine m. 

2. Given a message m, it must be extremely difficult to find another message m' such 
that h(m) = h(m'). 

3. It must be extremely difficult to find any two messages, say m and m', for which h{m) 
= h{m'). 


Property 2 looks very much like property 3, but they are quite different. The former says 
that if we start with a given message, we can’t find another that maps to the same hash 
value. The latter does not specify that we start with a particular message; it only requires that 
we cannot find any two messages that map to the same digest. 

A hash function that satisfies these three properties will be called a digest function. Some- 
times we will also refer to the function as a digest, but we also use the word digest to refer 
to the output of a digest function; the intended meaning should be clear from the context. 

If we take the hash functions from the previous examples, it is easy to see that they could 
not be digest functions, since they fail some of the required properties. For example, any two 
messages with the same trailing 64 bits will map to the same hash value using function h. 
The function g likewise fails to have property 2. 

Digest functions are very much like good ciphers, in that the values they produce must 
look random to the point that an adversary cannot tell what the originating data was. There 
are three important differences between digest functions and ciphers, however; they are: 

1 . A cipher is intended to be reversible, given a certain secret key. Digests are specifically 
intended not to be reversible, no matter what information one has. 

2. A digest function compresses the data, whereas a cipher generally does not. In fact, a 
cipher usually expands the data. 

3 . Digest functions use no keys; the scrambling effect that they produce comes about by the 
nature of the mathematical transformation itself. Such a digest is referred to as a Modi- 
fication Detection Code (MDC); the name signifies the basic purpose. However, other 
digests use keys; such a digest is called a Message Authentication Code (MAC). 

Now we will cover a specific digest function; namely, the Modular Arithmetic Secure 
Hash, Algorithm 2 (MASH-2). 

MASH-2 The following produces an n bit digest of a message x of bitlength b such that 
0<b< 2"'^. 

1 . Choose two primes such that their product, M, is m bits in length. 

2. The integer n is chosen as the largest multiple of 16 not exceeding m; n is the bitlength 
of the digest. 

3. Hq = 0 is an initialization vector; we will define another n bit constant A, such that 

A = 11110000. . .OOOObase 2- 
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4. Pad the message x with zeros, if necessary, to make the bitlength of x a perfect multiple 
of n/2. Divide x up into t blocks, each of bitlength n/2 (t may be 1). Add another n/2 bit 
block, which is the (n/2) bit representation of b. We represent this as: 

X X|, X 2 , - - ■ , X^, X^-^j. 

Note that each of the blocks is a multiple of 8. 

5. For each i from 1 through t, divide x, into 4-bit blocks; insert the bits 1111 before each 
4-bit block. This produces an n-bit block, say y„ from each x,. Then divide x ,+ 1 into 4- 
bit blocks, but this time, insert the bits 1010 before each 4-bit block. This yields the 
expanded message 

y = yi,y2, ■ ■ ■,y„y,+i- 

6. Now, to compute the digest. For i from 1 through f H- 1 do the following: 

• Compute Fi = Inr of ((//,_ 1 © y,) OR modulo M (where OR means bitwise inclu- 
sive-or, and © represents bitwise exclusive-or). 

• Let G; be the n rightmost bits of F,. 

• Compute Hi = G,©//,_i. 

7. The digest is 

Example. We will again use very small numbers. Let the message be x = 45 = 101101 
(binary), and so the bitlength of x is h = 6 = 110 (binary). Let p = 6911 and q = 6947; thus, 
M = 48010717 = 10110111001001010111011101 (binary). The bitlength m of M is 26, so 
we choose n = 16. The IV (initialization vector) Hq is 0, and the constant A is 
111 1000000000000 (binary). We pad the message with zeros so that it is a multiple of 16/2 
= 8; that is, 

x= 10110100. 

Now we divide this up into 8 bit blocks; in this case, there is only one such block (t= 1). 
We append another block, which is the 8-bit representation of b, or 00000110. So, we have 

Xi = 10110100 

X2 = 00000110. 

We divide the message up by splitting each block x, (where i < t) into 4-bit blocks, and 
inserting 1111 before each such 4-bit block. For Xi this yields 

yi = 1111101111110100. 

The last block is split in the same way, but 1010 is inserted before each block. Hence, 
for X 2 we have 

y2= 1010000010100110. 


Now, to produce the digest: 
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^ ((//o © Ji) OR ^ ((0000000000000000 © 1111101111110100) OR 
1111000000000000)'“““°* ^ (1111101111110100 OR 1111000000000000)'°°°°°“' ^ 
1111101111110100'°°°°°°°' = 101011011010010100101011 (mod 
10110111001001010111011101). 

Gi is taken to be the 16 rightmost bits of Fi, so 

Gi= 1010010100101011. 

We take Hi by computing 

//i = Gi © //o = 1010010100101011. 

We compute Hi in the same way: 

Fi ^ ((//i ©yz) ORA)257 ^ ((1010010100101011 © 1010000010100110) OR 
1111000000000000)'°°°°°°°' ^ (0000010110001101 OR 1111000000000000)'°°°°°°°' ^ 
1111010110001101'°°°°°°°' = 10001000101100100000010111 (mod 
10110111001001010111011101). 

G2= 1100100000010111 

//z = Gz © Hi = 1100100000010111 © 1010010100101011 = 0110110100111100. 

The final digest value is 0110110100111100. 

Of course, this was a lot to go through for such a tiny message; in fact, in this case, the 
digest is larger than the message! Of course, we could have used a message up to 2* — 1 = 
255 bits in length for this example. 

□ 

The MASH2 Class I have designed a class to generate digests of messages using the 
MASH-2 algorithm. The digestOf() method accepts a message as a byte array, and returns 
the digest as a byte array. 

import j ava . math . * ; 
import java. security ; 
public class MASH2 { 


//Define some handy values 

static Biginteger two=BigInteger .valueOf (2 ) ; 
static Biginteger ten=BigInteger .valueOf (10) ; 
static Biginteger fifteen=BigInteger .valueOf ( 
static Biginteger sixteen=BigInteger .valueOf ( 
static Biginteger exp=BigInteger. valueOf (257) 


//=binary 1010 

15) ; //=binary 1111 

16) ; 


Biginteger modulus; 


public MASH2 (Biginteger modulus) { 
this .modulus=modulus ; 


} 
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public byte[] digestOf (byte [ ] msg) { 

//Convert message to Biginteger-easier to work with 

//Ensure the Biginteger is positive using Biginteger { int signum, byte [ ] b) 
//constructor 

Biginteger msglnt=new Biginteger ( 1 ,msg) ; 

//b is bitlength of msg 

Biginteger b=BigInteger . valueOf (msgint .bitLength ( ) ) ; 

//n is largest multiple of 16 not exceeding bitlength of modulus 
int n=modulus .bitLength ( ) /16*16 ; 

//Check that msg is not too large for use with MASH2 
if (b. compareTo ( two .pow(n/2 ) ) >0 ) throw new IllegalArgumentException 
("Message is too large"); 

//Pad msg with enough zeros to make it a multiple of n/2 
int amountToShift=msgInt .bitLength ( ) % (n/2 ) ==0?0 : (n/2)- 
msglnt .bitLength ( ) % (n/2 ) ; 
msglnt=msglnt . shif theft (amountToShift) ; 

//Define variable for 2 raised to n power 
Biginteger twon=two .pow (n) ; 

//Define initialization vector H 
Biginteger H=BigInteger . valueOf ( 0 ) ; 

//Define n bit binary numeric constant A=11110000 . . . 0000 
Biginteger A=BigInteger .valueOf ( 15 ) .multiply (two .pow (n-4 ) ) ; 

//Process the first t blocks 
int t=msglnt .bitLength( ) / {n/2 ) ; 

Biginteger prevH; 
for (int i=0 ; i<t ; i++ ) { 
prevH=H; 

H=BigInteger .valueOf ( 0 ) ; 

//Process the 4 bit nybbles-there are n/8 of them 

Biginteger rem; 

for (int j=n/2-4; j>=0; j-=4) { 

//Each byte begins with lllIB 
H=H . shiftLef t (4 ) .or (fifteen) ; 

//Shift msg to right and keep last 4 bits 
rem=msglnt . shiftRight {j+n/2*(t-l-i) ) .mod (sixteen) ; 

//Append this remainder to H 
H=H . shiftLef t (4 ) .or (rem) ; 

} 
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//Compute the new digest value for H 

H=prevH.xor (H) .or(A) .modPow( exp, modulus) .mod(twon) .xor(prevH) ; 


} 

//Process the t+1 block 
prevH=H ; 

H=BigInteger . valueOf ( 0 ) ; 

//Process the 4 bit nybbles 

Biginteger rem; 

for (int j=n/2-4; j>=0; j-=4) { 

//Each byte in last block begins with lOlOB 
H=H . shift Left (4 ) . or (ten) ; 

//Shift b to right and keep last 4 bits 
rem=b. shiftRight ( j ) .mod ( sixteen) ; 

//Append this remainder to H 
H=H . shif theft (4 ) .or (rem) ; 

} 

//Compute the final digest value as a Biginteger 
H=prevH.xor (H) .or(A) .modPow( exp, modulus) .mod(twon) .xor(prevH) ; 

//Convert to a byte array and return-call helper method getBytes ( ) . 
return getBytes (H) ; 

} 

//Converting Biginteger to a byte array may force an extra byte for a sign bit. 
//We remove this byte if it is produced 
private static byte[] getBytes (Biginteger big) { 
byte [ ] bigBytes=big. toByteArray ( ) ; 
if (big.bitLength ( ) %8 ! =0) return bigBytes; 
else { 

byte[] smallerBytes=new byte[big.bitLength()/8]; 

System. arraycopy (bigBytes, 1, smallerBytes , 0 , smallerBytes . length) ; 
return smallerBytes; 

} 



TestMASH2Applet is an applet on the book’s website you can use to view the behavior 
of MASH-2. A modulus about 1024 bits in length is generated. You enter a message, then 
press a button to see its digest. The digest is displayed as a base 10 integer. (See Figure 
16.8.) 

One of the drawbacks of MASH-2 is that the digest it produces can be rather large. To 
be secure, the size of the modulus should be at least 1024 bits, which implies that the digest 
will likewise be 1024 bits, or 128 bytes long. For most applications, digests should be around 
128 bits long. 
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Uses of Message Digests Digests are most commonly used for two purposes: 

1 . Ensuring data integrity. This refers to methods that the recipient of data can use to deter- 
mine whether or not this data has heen modified. It is sometimes possible for an adver- 
sary, even without knowledge of keys, to modify a message in such a way so that it 
appears valid to the recipient. 

2. Providing authentication of the origin of data. This means that the recipient can ascer- 
tain whether or not a message is from the entity that claims to have sent it. Signing mes- 
sages in the manner described earlier can do this. 

When you think about it, each of these two objectives is necessary for the other. To argue 
this, consider a message of which origin you cannot be sure; then knowing whether or not 
it has been modified is not useful information. On the other hand, if you cannot be sure 
whether or not a message has been modified, then knowing its true origin does not help. Thus, 
a digest must always be used to provide assurances of both the integrity and the authentic 
origin of data. 

Here are some examples of how a digest can be used to do this. 

Transmission of a Digest by Secure Means The sender of a message computes 
a digest for the plaintext message. The message is sent (probably encrypted, but perhaps not 
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if privacy is not a concern) via an insecure channel, whereas the digest is sent by way of a 
secure channel. Here, a secure channel may mean: 

• An electronic means of data communication known to be safe. 

• The telephone, where voice recognition provides the authentication. 

• Transporting the data by trusted physical means. 

When this is done, the recipient of a message can compute the digest for it, then com- 
pare this to the digest received. If they match, the recipient accepts the message as authen- 
tic and unmodified (since the digest was sent via secure means.) 

Due to the logistical problems involved, this type of assurance is rarely used. The mere 
problem of not being able to guarantee a “secure” channel is the reason cryptography evolved 
in the first place. However, this example is given to make you realize the importance of 
never sending a digest along the same lines of communication as a message. An adversary 
can capture both the message and the digest. He can then construct a new message, com- 
pute a digest for it, and then send them to you. This is easily done even if a public key 
encryption scheme is being used. (Think about it; everyone knows your public key, and 
everyone knows the digest function.) 

Signing the Digest One of the problems with signing messages in the manner 
described earlier is that basically, the sender does double encryption, and double decryption 
is done by the recipient. This may be too costly in terms of computer resources, especially 
if messages are being transmitted in real time (like an audio or video signal). 

One solution is for the sender, say A, to produce a digest from the plaintext. A then singly 
encrypts the message using the public key of the recipient, say B. A then doubly encrypts 
only the digest, first using the private key of A, then B’s public key. The message and the 
digest are then sent. It doesn’t matter now if the digest is sent with the message. B decrypts 
the message, then decrypts the digest first using B’s private key, then As public key. B then 
calculates a digest of the decrypted message. If it matches the decrypted digest, B accepts 
the message. See Figure 16.9. 

Why does this work? Could an adversary capture the message and the digest, and pro- 
duce a new message and digest? Since the digest was first encrypted using A’s private key, 
an adversary has no way to duplicate this. The best she can do is “guess” a digest value for 
her modified message, in the hopes that it will match the digest computed by B from her 
bogus message. If the digest size is large enough, say 128 bits, this is extremely unlikely; 
in this case, the probability of all 128 bits matching is 1/2^^®, or less than 2.939 X 10^^®. 

Encrypting Digest with Message The situation of sending a digest along the same 
line of communication as the message is not necessarily unique to public key cryptosystems. 
Data authentication is also important for secret key cryptosystems. Even with secret key 
ciphers, it is sometimes possible for an adversary to modify a message so that it appears 
meaningful to the recipient. This is actually quite easy if the message possesses little struc- 
ture; for example, a series of widely ranging numbers in binary format. The adversary does 
not need to know the secret key to do this. (If they knew the secret key, you would be up 
the creek anyway!) 
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FIGURE 16.9 
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We deal with this very simply: we compute a digest for the plaintext message, then 
append it to the message. This larger message is then encrypted, and sent. The decryptor 
checks that the tail end of the decrypted message is the digest of the data that precedes it. 
Without knowledge of the secret key, it is highly unlikely that an adversary can construct a 
message that decrypts to a message having this special structure; that is, with the tail of the 
message being a perfect digest of the rest of the data. (See Figure 16.10.) 

Note here that we cannot attach a digest to a message in this way if we are using a pub- 
lic key system, and encrypting using only the recipient’s public information. It should be 
obvious why this is so. 


16.7 SIGNING WITH ELGAMAL 

The ElGamal signature scheme was specifically intended to work with digests. Suppose a 
sender, say A, is using the public key ip, g, y), and the private key a, where p is a large, safe 


FIGURE 16.10 
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prime, g is a generator modulo p, and y is the Inr of g" modulo p. Suppose r/ is a public mes- 
sage digest function. To generate a signed digest of a message P, A must do the following: 

1 . Select a random integer k between 1 and p — 2 (inclusive), such that k is relatively prime 
to p — 1 . 

2. Calculate r, the Inr of g* modulo p. 

3. Find k', an inverse of k modulo p — 1. (This inverse exists due to our choice of k.) 

4 . Calculate s, the Inr of k'(d(P) — ar) modulo (p — 1). (Only A can do this step, as only A 
knows the private key a.) 

5. The signature is the pair of integers, r and s. 

To verify that this signature is valid, the recipient B must do this: 

1 . Verify that r is between 1 and p — 1 ; if not, reject the signature. 

2. Using A’s public information, calculate v, the Inr of yV' modulo p. 

3. Calculate d(P), the digest of the message P. 

4 . Compute w, the Inr of modulo p. 

5. If V = w, accept the signature as valid; otherwise, reject it. 

Why does this work? Well, because 

s = k'(d{P) — ar) (mod p — 1), 

we have 

ks = k k'(d(P) — ar) 

= d{P) — ar (mod p — 1). 

Thus, by subtracting ar from both sides, we have 

d{P) ^ ar + ks (mod p — 1). 

Because of the properties of discrete logarithms, this then yields 

gdiP) ^ ^r*ks py 

But note that by construction of v and w, and because of the previous congruence, we must 
have 

W ^ ^ g-**^ ^ {gyp ^ yV ^ V (mod p). 

Thus, the signature is valid iff v = w. 

Example. For this example, we will use a simple hash function, but unsuitable for crypto- 
graphic purposes. For simplicity’s sake, we will not use salt, or CBC. Suppose A is using 
the public prime 

p= 768416655531999472553972503490662169854881508111468141690052585033772 
353811145704262633807570477286149198100781782215658227986987692047241181 
534570445703 1 224942 130576663711191 17944205 15351 6492397844 1 2205 1 887566688 
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7574706804224094930 150661111 156295398663728459674020860553762 1 2896 1 77870 
76209 187671 392407592 1 74797. 

This choice of p is a safe prime; we know the factorization of/? — 1, which has at least 
one large prime factor; in this case, p — \ = 2zt, where 

Z = 362, 


and 

t= 106134897172928103943918854073295879814210153054070185316305605667648 
115167285318268319586681005150020607472483671576748374031351891166746019 
548973818467282112460367080990486066014392977005040386442558294459608658 
668 15893376000 13111 8992625 8441385295561 653708006547249455 1 62460344775949 
000288933247779568497479. 

A chooses a generator modulo p. 


8 = 2 . 


A chooses a private value for a: 

a = 45366932286305017454823998962543872234171279575807307127836833791199 
106589647221361411404680513932826550438110018938792808421883674318765239 
855541004504826749690514434467452187115574562871476458097782440492959459 
1 145959 1 89981923573547 1 8847375845084259 1 86299700677238352348768625876330 
30204352936542407 1172153676. 

A computes the public value of y, the Inr of .g" modulo p\ 

724055273252881509576588841040152725840811907267226166652168857689817 
926487564907954651926297199335221112806345258137591945857251048343201130 
805689635851693738336967838518779547772897009773874067873510422086447659 
524797666800500925069823070582327783189100853134197262953696156421360406 
763271593001 58548622476503. 

The plaintext message which A must sign is 

P= 47495233644665988426542797641862170747046710526789245391156504620320 
517515571648723939384358595186200968673256615798341680398991554123874397 
908150043241195926795222914754565141859355539104925268550584190056601904 
838582629751247671428189205507655795265722620866029099708789775077073512 
480224582285200694 1 89809 1 67. 

We will assume P has already been encrypted using public information of the recipient 
B, and sent to B. A creates a signature for this message by doing the following: 

A selects a random integer k such that Q<k<p — 2 and {k, p — \) = \', say 

yt= 828569173899706322862537866306640776566352364751963244609011965664662 
488417460387862608694420472286305311556299061959003482409233005037723040 
325579207521157865540839175624706248094985512559552109060621372261182159 
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073674266728597908901785500052357159821947443150603075554861577713129845 

7166748765201121009594717. 

A then calculates r, the Inr of g'‘ modulo p: 

r= 754980689309015967134652122289681073011337085880931754788354434950465 
868945202772744073062829346744777955627154546239814497986673097913596618 
187706415730448305962740003790259873593478841192742794988274985183707335 
088576870708479793565047483444344434823417504303091568416797285536744959 
93894473633702658894519225. 

The value for r is the first part of the signature. Now, A must find an inverse of k mod- 
ulo p — 1 ; this is easily done using the extended Euclidean algorithm: 

k' =41476618378700412297173224500420810670339064876850101272695099201480 
409096613565495099867137782188429871575488175498185490101859098759692392 
347429741878039564964082396789943865344588220167170614361150870833650116 
512052394573930927553494824898854134339214385016217721200185633500260411 
302215163263988431152856749. 

A must compute a digest of the plaintext message. A uses the public hash function 
d(x) = .r (mod q) 0 < dix) < q 


where the prime q is: 

^= 10931809682175872911 

= 1001011110110101100101101111110010011010010001001100111110001111base2- 

(Note that the binary representation of q is 64 bits; it will produce a 64-bit digest.) A cal- 
culates d{Py. 


d{P) ^ 7763193083250062093 (mod q). 

Now, A calculates the final part of the signature: 

5 = k'(d(P) — ar) = 

504129645472912448866079239459312209155283159891818206116181584336284774 
060877780128027574808314656854901317166655437096228316557996491503697413 
041178568111884781202739723644461510362506102063431227543591653744230589 
232661184347273905109607430598564690942443238612401218536035199345301596 
39900593535677309588849 (mod p - 1). 

The values of r and s are sent to B. To verify that this signature is valid, B must first 
check that r is between 1 and p — 1. This checks, so B continues in this way: 

B then calculates the two values v and w. B can compute w because the hash function is 
public: 

V = y V = 

438908365050492172112141159266916014689430122622767850409990603339138565 

278995621692689044958914233869339458908488816024934068379856100514306151 
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641194989852455577634720396702065575387017714394831539504200403961645096 
72807272609532202342 1 1 1 2943523393879 1 61424144304336692 1 69642791 4064 1 9470 
91918468321515459948865 (mod p) 

and 

438908365050492172112141159266916014689430122622767850409990603339138565 

278995621692689044958914233869339458908488816024934068379856100514306151 

641194989852455577634720396702065575387017714394831539504200403961645096 

728072726095322023421112943523393879161424144304336692169642791406419470 

91918468321515459948865. 

B takes note of the fact that v and w are equal, and accepts the signature. 


Storing Passwords or Passphrases as Digests A system administrator has a 
peculiar problem. She must store the passwords or passphrases of all her users, so that she 
can compare these entries to the entered passwords when a user attempts a login. However, 
she must be able to protect these passwords, so unauthorized users cannot obtain them. Ide- 
ally, it would be best if the system administrator herself could not obtain the passwords. 

Cryptographically secure digest functions provide a solution. A user’s password is not 
stored, but rather, a digest of the password is stored. When a user attempts a login, a digest 
of the password is taken, then compared against this user’s entry in a table. If an adversary 
somehow obtains the hashed password list, it does him little good if the digest function is 
a good one; that is, it will be nearly impossible for him to obtain any particular password 
from its digest. Even the system administrator does not know any particular password; only 
the user who created it knows (assuming he or she didn’t forget it). Various operating sys- 
tems grant access based on such an idea; Figure 16.11 illustrates this process: 


16.8 ATTACKS ON DIGEST FUNCTIONS 

There are various approaches to defeating a digest function. To defeat a digest function, 
one must be able to produce a bogus message, say F', which hashes to the same value as 


Figure 16.1 1 
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the message P. In addition to other parties, both the verifier (receiver), and the signer (sender) 
of a message may wish to have this ability. Why? 

If a third party is able to produce a bogus message P' , such that h(P) = h(P'), he may be 
able to convince the signer to sign P' , then later claim this signature is for P. The meanings 
of P and P' may be totally different. For example, suppose you want your secretary to draft 
a message P that orders your company bank to transfer funds to more conservative stocks. 
Instead, by careful construction, he drafts a fraudulent message P' which orders the bank 
to transfer 1.3 million company dollars to his Swiss bank account! By virtue of this careful 
construction, it so happens that h(P) and h{P') are equal. The bank receives the bogus mes- 
sage, accepts it as authentic, and the next day your secretary is nowhere to be found. The 
verifier (an employee of the bank, in this case) may also want to be able to do this (if he also 
leans toward dishonest activity). 

The signer can also do this. Suppose you are a high-ranking official of your government, 
and you want to send a message P' ordering the death of millions of innocent civilians. By 
careful construction, you are able to produce a message P that instead conveys great love 
and affection for the masses. It so happens that h{P) = h(P'). You send the message P' to 
your generals, who accept it as genuine, and then carry out your orders. Later, when NATO 
is trying you for crimes against humanity, you whip out the message P, claiming that it was 
the message you really sent. You claim that some adversary confiscated the message P and 
sent P' in its place. The act of denying that you sent a signed message is known as repudi- 
ation. A good digest function enforces nonrepudiation; that is, it makes it far too difficult for 
a signer to find a bogus message to use in place of the real one. 

Now do you see why a digest function must have the three required properties? If you 
recall, they are: 

1 . Given a hash value h(m), it must be extremely difficult to determine m. 

2. Given a message m, it must be extremely difficult to find another message in' such that 
h(m) = h(m'). 

3. It must be extremely difficult to find any two messages, say m and m' , for which h(m) = 
h{m'). 

The Birthday Attack The following illustrates a method to defeat a digest function, 
known as the birthday attack. It is based on the following well-known principle: If you 
select (with replacement) from a set of m objects, with high probability, you can expect to 
draw some element twice within Vm selections. 

The way we normally hear this is from the birthday problem: If you select randomly 
from the population, the odds are high that you will encounter 2 people with the same birth- 
day within about 19 = V365 selections. 

In the birthday attack, we assume the individual with bad intent can make modifications 
to both the real message (P), and the bogus message (P'). Suppose the digest function pro- 
duces an n-bit hash. Thus, there are 2” possible hashes (2 choices for each bit.) Note before 
we begin that a/(2") = 2"'^. This is what to do: 

1 . Generate a table of t = 2"^^ minor modifications to the message P (add a space, delete a 
semicolon, use a similar word, etc., etc. . . ). Label these modified messages Pi, P 2 , . . . , 
Pf 
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2. For i from 1 through t, generate the hash h{Pi), and store it with the message F,. 

3. Generate a minor modification of the bogus message P', say P . Search the table for a 
message such that h{Pi^) = h(P*) for some k. (The search of the table can be done in 
constant time if a hash table is used.) 

4. If the search is successful, stop. The current P* is the fraudulent message, to send in place 
of Pj,. If the search is not successful, return to step 3. 

Depending on n (the hash size), the birthday attack can have enormous storage require- 
ments. If n = 64, the table will contain 2^^ s 4 billion elements. If each modified message 
and its hash takes, say, one thousand bytes each, then we are talking storage space of about 
4 terabytes. Though this seems large, it is feasible, or soon will be. Thus, digest functions 
which produce 128 bit (or larger) hashes are preferable. 

Note that it may be possible for the “bad guy” to modify only the bogus message. This 
considerably increases the amount of selections one should make before expectations of 
finding a match are high. As an example, suppose your birthday is luly 15. How many peo- 
ple should you randomly sample from the population so that the odds are greater than 50 
percent that you will find someone with your birthday? 

There are many other attacks on digest functions. Unfortunately, due to space consider- 
ations, we cannot cover them here. An excellent reference for this topic (and many other top- 
ics in cryptography) is The Handbook of Applied Cryptography, by Menezes, van Oorschot, 
and Vanstone, published by CRC. 


16.9 ZERO KNOWLEDGE IDENTIFICATION 

Sometimes all that is desired in an exchange between two parties is that one be assured of 
the identity of the other. (This is common among military protocols.) There are various 
ways to do this, but one of the most interesting ways is to use “Zero Knowledge Identifi- 
cation.” This refers to convincing someone that you are who you claim to be by convinc- 
ing them that you know certain information that only you could know, but without revealing 
that information to anyone, including the entity you are trying to convince! In these types 
of exchanges, the entity trying to prove their identity is called the respondent, and the entity 
trying to establish the identity of the respondent is called the challenger. 

For example, suppose individual A is known to be using a public modulus n, where n is 
the product of two large strong primes both congruent to 3 modulo 4, say p and q. A can con- 
vince another individual, say B, that he knows these primes, without revealing them to B. 
If A can do this, B is assured that A is really who he claims to be. A and B proceed in this 
way: 

1. Let A (the respondent) choose n as the product of two strong primes, p and q. A also 
chooses some integer s such that s has a square root modulo n. The integers s and n are 
public, and registered with a Trusted Third Party (TTP). A computes t, the Inr of a square 
root of s modulo n; that is, he computes t such that 


f ^ s (mod n) 0<t<n. 
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The value of t is kept private. Note that only A should be able to calculate t, as only he 
knows the prime factors of n. 

2. A chooses a random positive integer r less than n, and sends to B (the challenger) two 
values: 

Zi = Inr of modulo n, and 
Z 2 = Inr of JZj. modulo n, 
where Zy is an inverse of Zi modulo n. 

3. B checks that Z 1 Z 2 = s modulo n. He then randomly chooses either c = 0 or c = 1 and sends 
c to A. 

4. A will respond in one of two ways: 

• If c = 0, A sends the message r to B. 

• If c = 1, A sends the Inr of tr' modulo n, where r' is an inverse of r modulo n. 

5. B now computes the Inr of modulo n, and does one of two things: 

• If c = 0, he checks that = Zi (mod m). 

• If c = 1, he checks that (tr')^ = f'r'^ = szi = Za (mod n). 

After this process, B knows that A can compute t, a square root of s modulo n, but he can- 
not compute t himself, and t is never revealed to him. These are the only values that B knows 
(modulo n): Zi = r^, Z 2 = = sr' , ^, and exactly one of r or tr' . Note that B can never 

be given both r and tr' , for this allows him to calculate t. This process can be repeated as 
often as necessary with different random values for r until B is convinced that A knows t. 
However, it is absolutely vital that A choose a different value for r every time. Why? 

Example. Suppose a is using the public modulus 
n = 

274767815982245548988790206801956651309342982830065216921948667831130363 

270253391613297772360579492679629996501029139838682116550051160900059917 

252079335683044082645443287136361829237904549448424168235143278727967298 

537931735369900497614908459888542386548176723918689759709749816846741951 

438624571462267660236650416857894422109721140233441189969425961870588371 

894903496708435357401553646260714625504652954935134556139340783655294871 

737383374223242600468713011439066059016281996201542058384927054227873607 

471972731775123706246506154077712330891353812432890865488929521246586593 

80550940695643273559171683514261677617772051153 

which is the product of two large, strong (and private) primes congruent to 3 modulo 4; 
namely, 

P = 

200766270232954088077041575959108612757411238838003505144742064111712514 

438539012193632244782163192814569872158475903654023762579506771732582156 
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267397 1128594579409939294218379325314393 1 816436660620039075 1778729265037 
950855560496259965189976512124408069020047445498322443733964180877589666 
180519936116197326763539 

q = 

136859550991023357674233837751193444637145211672745580838508211454534324 
823686210424604005719046718052981484190707562992713417956940416543355152 
315219159854859002395777579635185385039269578229009584384066590554210488 
182334714799737615710384650453125076807810092764555005612188062536100529 
729582 1927389722131 80427 . 

A is using the following public identifier: 


j = 

655888759462533346896099455125955297863619815052059946417712093279459636 
342631365262945091607400505266438654108015109512874780341338294558609172 
89602594 1 074322477348 13074447586090300953 1 0089609704 1 1 05461066228022450 1 
660338817707042363199903874446894924326459533810656402488896490602481754 
670208321628711511660442363295704362838936281451766918918230371219558149 
385417339919129898962756076179525208607677979542348282535347567620941558 
147949717798991715469439796914202792913405951608628308879284162599741791 
439709118592992294885567487226707477594154920388849028073235350461353895 
1357097063700167482750883742174106086454102797 . 

This value for s has a square root modulo n; let’s say, 


t = 

165939251694010184592593767485127540635808807933739119951718497170488592 

148972055777285530210620518273692388315164078449283411444102820207961683 

880417477924017600541987600931639085385971444581959989319417992193306141 

335450460118404029149636306714968895603334454397709463970275583243016901 

423853053941948601770260591458870529845193261034683705291970236037633310 

907364071581496095213148290413871725043392307378067658837187041433121406 

416290503339428815946362864700618273596792458170735372510429224074039038 

301648162396953994412378543760633875395589555679973650286550990104663372 

81692939001856637528820509003569587098467436984 . 

This value for t is kept private. To convince B that he can indeed compute t, without 
revealing f, A first chooses a random integer less than n, say 


173651607556993658543074931792348037298652767890536649836378803212048174 
119600416703769869733860342049288372423745801528669105373390624108185926 
747940578397289745643201766424420162191119041288192344657982273471518628 
215332496677780952733934200916926981810730240920232847296029476965497809 
6627397045 1 9945 1 8797045340846639594 1 39605 1 840775986075 1251081 82246279299 
702785594609410635181141522115473272018306542018693995053351421839424696 
91111 754069487517564798020 1 822766 13582698787854707003902690544808844 1 503 
482709036662431574895978524539775437034803554754381419475994272847508134 
83730877286437180056765310582867370836696334060 . 
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A computes Zi, the Inr of modulo n, then sends this to B. 

= 

636907372916630417639950660028166281719492055429217364220457489593037866 
16533345937931577287578777337037541907245 190619182026856650879956802273 1 
737276532379327302367995409491660366403960670960063687902082639535214517 
045720899834810899222021096792723663168335105157383677283412810909888900 
179491908626568577017870853324071917713448484526818434606091908128397432 
395391731852501588490032870693623410766981003941348635411619193549032114 
405481488544612831083993700764578354603810601080608921028150953269184186 
219061408040286430527370708983876150599535584027175567558557848017906083 
1579922562038044043747049460663818567470875382 . 

A then computes an inverse of Zi modulo n; this is easily done using the extended Euclid- 
ean algorithm: 

Zr = 

246861721516894764252857411577867113106454940350062866347313323253750006 
309210441793579823771625445834016495579963542682581812777362375425095701 
318904290767164397489938749611564580089961691014202886617184187465096281 
631499614795929225020721256594603297285157756882085472837738293484795666 
944305502745974610118790479938567928569294792138203329433501519459756404 
164108998150168996044258670546338629889604324314333379678354812911262934 
584061508732936864208392730118708935918087007332226648604671082131679750 
509595497578449495620684634767310513103044947716489026578148063839872078 
424811 6358933225458494226492425 8171668574862418 . 

A needs this value to compute Z2, the Inr of szy modulo n. A sends Z2 to B: 

^2 = 

127475513685566725446890852720613095360327187603988651941231415853157578 
331456597153209494004736210977699578916999466032456677595127519634159990 
521540837957056538345106025673773524185786635004052033863289249942948679 
351840188229397744858421574833317348003660917673550353744822055165736111 
234512904116889272699406948842755115609086788122010131676983531175952081 
153644282751762038948324143832454354255524095948364303252903127278566455 
8678766548424116876239 1 821058930035 1425 14569910831 1 147796242254029159776 
570872196619284791816763597060378966996431439737466965332522784477229827 
90267877957407209494836944774782001306385230738 . 

B receives the two values Zi and Z2, then checks that the Inr of their product is equal to 
s. If you care to do the calculations, you will see this is true. 


ZlZ2 = 

246861721516894764252857411577867113106454940350062866347313323253750006 

309210441793579823771625445834016495579963542682581812777362375425095701 

318904290767164397489938749611564580089961691014202886617184187465096281 

631499614795929225020721256594603297285157756882085472837738293484795666 

944305502745974610118790479938567928569294792138203329433501519459756404 
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164108998150168996044258670546338629889604324314333379678354812911262934 
584061508732936864208392730118708935918087007332226648604671082131679750 
5095954975784494956206846347673105 1 3 103044947716489026578148063839872078 
4248 1163589332254584942264924258171668574862418 

X 

127475513685566725446890852720613095360327187603988651941231415853157578 

331456597153209494004736210977699578916999466032456677595127519634159990 

521540837957056538345106025673773524185786635004052033863289249942948679 

351840188229397744858421574833317348003660917673550353744822055165736111 

234512904116889272699406948842755115609086788122010131676983531175952081 

153644282751762038948324143832454354255524095948364303252903127278566455 

867876654842411687623918210589300351425145699108311147796242254029159776 

570872196619284791816763597060378966996431439737466965332522784477229827 

90267877957407209494836944774782001306385230738 


655888759462533346896099455125955297863619815052059946417712093279459636 
342631365262945091607400505266438654108015109512874780341338294558609172 
89602594 1 074322477348 13074447586090300953 1 0089609704 1 1 05461066228022450 1 
660338817707042363199903874446894924326459533810656402488896490602481754 
670208321628711511660442363295704362838936281451766918918230371219558149 
385417339919129898962756076179525208607677979542348282535347567620941558 
147949717798991715469439796914202792913405951608628308879284162599741791 
439709118592992294885567487226707477594154920388849028073235350461353895 
1357097063700167482750883742174106086454102797 

= s (mod n). 

B then decides randomly whether to send a 0 or 1 back to A; suppose he sends the value 
1. Based on this, A returns the least nonnegative residue modulo n to tr' where r' is an 
inverse of r modulo n. First, A computes r': 

r' = 

764099968690517121353391255537826929750924022145231920293817937632484200 

823244999038441517299580887466057364940456674813820681845030102296572043 

247418709740901233920492877082722195586964133943577932846049127187555913 

363875968625100568262434936406068829493394067017187494181655556329697789 

932580011860799983102455166834397186103513262877061007687879555815158196 

016324784295136230869266483953750781133922821173790858487694810620347648 

301792150686779513226606176017404800599220202167204333402307816537714588 

876092282949731916637465773977250127289684352419427943174791878195060338 

5903656057778952993572766763597517719600882926. 

The value which A sends to B is therefore 

tr' = 

806863988054169024920301405295203174706259473118276369760225652423019997 

525913534708697658713793930280015474876469073032943300741644028317049787 

631296437500635771334741355725945454918382262962438730708821951004673206 
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322198267702768221957464447815659664803425920162579425858987136337152043 
957803039846247255965834154373962038550549430345349851187184745315084581 
188882729078285545220915858184790787483769803775031226136431317486562458 
35041 84820486 1 7 1 77445510205736750992758785 167201 86429103245494666 1656281 
680207992840332684 1 7907044440559956361 1 590222800 16561 644922604075591739 1 
1635634931359062322458271768089779844860822413 (mod n). 

Finally, B squares this, and since he sent a 1, he checks that the Inr of {tr')^ is Z 2 - If you 
do the computation, you will see that this is so: 

(tr'f - 

127475513685566725446890852720613095360327187603988651941231415853157578 
331456597153209494004736210977699578916999466032456677595127519634159990 
521540837957056538345106025673773524185786635004052033863289249942948679 
351840188229397744858421574833317348003660917673550353744822055165736111 
234512904116889272699406948842755115609086788122010131676983531175952081 
153644282751762038948324143832454354255524095948364303252903127278566455 
8678766548424116876239 1 821058930035 1425 1456991083 1 1 147796242254029159776 
570872196619284791816763597060378966996431439737466965332522784477229827 
90267877957407209494836944774782001306385230738 


= Z 2 (mod n). 

□ 


Java Algorithm 1 have written a couple of Java programs to do this kind of exchange. 
Here the respondent acts as a client, sending a request for approval from the challenger, 
which acts as a server. The respondent connects to the challenger, sends the values for n and 
s, then generates r, Zi, and Z 2 - It sends Zi and Z 2 to the challenger, then waits for the challenge, 
a 0 or a 1 . It responds to the challenge, then waits for a response from the challenger, either 
“Y” meaning approved, or “N” meaning not yet approved. If the respondent is not yet 
approved, it generates new values for r, Zi, and Z 2 , and begins again. Here is the Respondent 
class. 

import j ava . math . * ; 
import j ava . net . * ; 
import j ava . io . * ; 
import java. security ; 
public class Respondent { 

static But feredReader k=new But feredReader (new inputStreamReader (System. in)); 


public static void main (String!] args) throws lOException { 


//Define some handy values 
Biginteger zero=BigInteger . valueOf ( 0 ) ; 
Biginteger one=BigInteger . valueOf ( 1 ) ; 
Biginteger two=BigInteger .valueOf (2 ) ; 
Biginteger three=BigInteger .valueOf (3 ) ; 
Biginteger four=BigInteger .valueOf ( 4 ) ; 
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//Generate two strong primes congruent to 3 mod 4 
SecureRandom sr=new SecureRandom ( ) ; 

PrimeGenerator pg=new PrimeGenerator { 513 , 10 , sr ) ; 

Biginteger p=null , q=null ; 
do { 

p=pg . getStrongPrime ( ) ; 

} while ( !p. mod (four) .equals (three) ) ; 
do { 

q=pg . getStrongPrime ( ) ; 

} while ( !q.mod(four) .equals (three) ) ; 

//Form the modulus as the product of these primes 
Biginteger modulus=p .multiply (q) ; 

//Choose a random value t and square it modulo the modulus to form s 
Biginteger t=new Biginteger (modulus .bitLength () -I , sr) ; 

//s is your identifying number 
Biginteger s=t .modPow(two, modulus) ; 

//The values of s and the modulus should be made publicly available 
//with a Trusted Third Party (TTP) 

System. out .println { "Enter host name or IP address of challenger:"); 

String host=k. readLine ( ) ; 

Socket socket=new Socket (host, 12345) ; 

PrintStream out=new PrintStream ( socket . getOutputStream ()) ; 

Buf feredReader in=new Buf feredReader (new 

inputStreamReader (socket . getlnputStream( ) ) ) ; 

//Send the values for the modulus, and s, to the challenger-we do not send t 
//of course 

out .println (modulus . toString ( ) ) ; 
out .println (s . toString ( ) ) ; 

String approved="N" ; 

//The challenges begin 
do { 

System. out .println ( "You have yet to be approved."); 

//Generate the random value r 

Biginteger r=new Biginteger (modulus .bitLength () -1 , sr) ; 

//Gompute zl and z2 

Biginteger zl=r .modPow (two, modulus ) ; 

Biginteger z2=s .multiply { zl .modinverse (modulus ) ) .mod (modulus ) ; 

//Send zl and z2 to the challenger 
out.println(zl.toString() ) ; 
out .println (z2 . toString ( ) ) ; 
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//Challenger will send back a 0 or a 1 

int challenge=Integer .parseint ( in. readLlne ( ) ) ; 

//If a 0 was sent, return r to the challenger 
if (challenge==0) out.println(r.toString() ) ; 

//Otherwise, send tr' modulo the modulus to the challenger 
else 

out .println (t .multiply (r .modinverse (modulus) ) .mod (modulus ) .toStringO ) ; 

//Challenger will now either send "Y" (approved) or "N" (not approved) 
approved=in . readLlne ( ) . toUpperCase ( ) ; 

} while ( ! approved. equals ( "Y" ) ) ; 

//If we get here, we succeeded 

System. out .println ( "Your claim of identity has been accepted."); 
k . readLlne ( ) ; 

} 

} 


The Challenger class is a server which loops forever simply listening for connections on 
port 12345. (I didn’t choose this port for any particular reason.) It establishes a socket with 
a respondent using the accept() method. So that the challenger can deal with multiple respon- 
dents at once, it is threaded. It will produce a new Challenger object (a subclass of Thread) 
for each new connection. If any response from a respondent does not check, the challenger 
closes the connection immediately. 

import j ava . math . * ; 
import 3 ava . net . * ; 
import java.io.*; 
import java. security ; 

public class Challenger extends Thread { 

static Buf feredReader k=new Buf feredReader (new inputStreamReader (System. in) ) ; 

//socket is the connection between challenger and respondent 
Socket socket=null ; 

//trials is the number of challenges the respondent must satisfy 
static int trials=0; 
static SecureRandom r=null; 

//The constructor only sets the socket field 
public Challenger (Socket s) { 
socket =s; 

} 


public static void main (String [ ] args) throws lOException { 



348 


Chapter 16 Cryptographic Applications 


System. out .println 

("Enter the number of challenges to issue per respondent:"); 
trials=Integer .parseint (k. readhine { ) ) ; 
r=new SecureRandom ( ) ; 

//Bind the challenger to port 12345 
ServerSocket ss=new ServerSocket ( 12345 ) ; 

//Loop forever 
while (true) { 

//Create a new thread for every incoming connection 
//this allows challenger to handle multiple respondents 
Challenger c=new Challenger ( ss . accept ()) ; 
c . start ( ) ; 

} 

} 

public void run() { 
try { 

System. out .println ( "Request received from " 
esocket . getInetAddress ( ) . toString ( ) ) ; 

//Create the 10 streams 

PrintStream out=new PrintStream { socket . getOutputStream {)) ; 

Buf feredReader in=new Buf feredReader 

(new inputStreamReader (socket . getlnputStream( ) ) ) ; 

//Read in modulus and s key values 

//These should be checked against a database with a TTP 
Biginteger modulus=new Biginteger ( in. readLine ( ) ) ; 

Biginteger s=new Biginteger (in. readLine ()) ; 

Biginteger)] z=new Biginteger [2 ] ; 

//Begin challenging the respondent 
for (int i=0 ; i<trials ; i++ ) { 

//Read in zl and z2; here labeled zO and zl for convenience 
z [ 0 ] =new Biginteger { in . readLine ( ) ) ; 
z [ 1 ] =new Biginteger ( in . readLine ( ) ) ; 

//Check that their product = s 

if {! z [0] .multiply (z [1] ) .mod{modulus) . equals (s) ) { 

System. out .println { "Product not congruent to s-closing connection") 
break; 

} 

//Issue the challenge-a random 0 or 1 
int challenge=Math.abs (r .nextint ( ) ) %2 ; 
out .println (challenge) ; 

//Get the response 

Biginteger response=new Biginteger ( in. readLine {)) ; 
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//Check the response, based on the value of challenge 

if ( !response.modPow{BigIntegerMath. TWO, modulus) .equals (z [challenge] ) ) 
{ 

System. out. println("Response does not check-closing connection"); 
break ; 

} 

if (i<trials-l) out .println ( "N" ) ; 
else { 

out .println ( "Y" ) ; 

System. out. println("Respondent approved.") ; 

} 

} 

//Close the connection with this respondent 
socket . close ( ) ; 

} catch (lOException ioe) { 

System.out.println(ioe.toString() ) ; 


Here is a test run of Respondent and Challenger running on two different computers. 


Respondent: 

Enter host name or IP address of challenger: 

'k-k'k'k'k-k'k'k'k'k 

You have yet to be approved. 

You have yet to be approved. 

You have yet to be approved. 

You have yet to be approved. 

You have yet to be approved. 

Your claim of identity has been accepted. 


Challenger: 

Enter the number of challenges to issue per respondent: 

5 

Request received from **********/********** 

Respondent approved. 

Note that I have crossed out the names/IP addresses of the machines running these pro- 
grams. 
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I should mention that the Respondent and Challenger programs fail to do something 
important. First, the respondent would not generate new values of n and s for each exchange. 
These values should already exist and be published with a TTR Secondly, the challenger 
should check received values for n and s against values in a database maintained by the 
TTR This way, the respondent can be verified as having a certain set of keys, and that an 
impersonator would have a very tough time “pretending” to be that person without knowl- 
edge of their private information. (In this case, this means being able to compute a square 
root of j modulo n without knowing the prime factors of n.) 


EXERCISES 


1. Here, a set of shadows and their corresponding moduli are given, plus values for the 
reconstructing prime p and the random multiplier u. Use all the shadows given to recon- 
struct the master key, which will be immediately recognizable. 

Shadows Moduli 


1835256971 2142418429 
298859542 1247760289 
611228613 2061443389 
1052969410 1817116199 
1343567939 1614361069 
1045659651 1250119291 
1399180591 1478137559 
1725515793 2084068787 

The random multiplier is: 724799153237188128058363304731475 
The reconstructing prime is: 764018977 


2. Modify the ShadowBuilder constructor so that the user can specify the minimum num- 
ber of shadows required for construction (as opposed to just over half, as I have writ- 
ten it), and to compute the values for u and p accordingly. 

3. Design a Java class to produce random bitstreams according to the Micali-Schnorr 
method. 


4. Write a RabinEncipherSigned() and RabinDecipherSigned() method for the Ciphers 
class to perform encryption and decryption of signed messages. 

5. Write methods in the Ciphers class to send and receive signed messages with ElGamal. 

6. When two parties, B (the challenger) and A (the respondent) are using zero knowledge 
identification as described in the text, A must be sure never to repeat a random value 
for r. Why? 

7. Consider how you could modify the IntCRT class to handle negative integers, sub- 
traction, and division, then do this modification. 

8. Modify the CSRRBG class (or write your own) to generate random bitstreams using the 
Micali-Schnorr method. 


APPENDIX I 


List of Propositions 


Proposition 1 . If y, and z are integers with x\y and y\z, then x\z. 

Proposition 2. If c, x, y, m, and n are integers such that c\x and c\y, then c\{mx + ny). 

Proposition 3. (The Division Algorithm.) If and b are integers such that b > 
0, then 3 unique integers q and r such that Q< r<b and y = bq + r. This q is called the quo- 
tient, r the remainder, b the divisor, and the dividend. 

Proposition 4. Every positive integer greater than 1 has a prime divisor. 

Proposition 5. There are infinitely many primes. 

Proposition 6 . If n is composite, then n has a prime factor not exceeding the square root 
of n. 

Proposition 7. Let x, y, and z be integers with (x, y) = d. Then 

a. {xld, yid) = 1 

b. (x + cy, y) = (x, y). 

Proposition 8 . The gcd of integers x and y, not both zero, is the least positive integer 
that is a linear combination of x and y. 

Proposition 9. (aj, a 2 , 03 , ... , a„) = ((oi, 02 ), a^, . ■ ■ , a„). 

Proposition 10. If c and d are integers and c = dq + r where q and r are integers, then 
(c, d) = (d, r). 
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Proposition 1 1 . (The Euclidean Algorithm.) Let ro = c and r^ = bhQ integers 
such that c > > 0 . If the division algorithm is successively applied to obtain Vj = r,+ii?,+ i 

+ rj+2 with 0 < rj+2 < /}•+! for j = 0, 1, 2, . . . , n — 2 and r„+i = 0, then (c, b) = r„. 

Proposition 1 2 . Let x and y be positive integers. Then 

(x, y) = s^ + 

where the s„ and t„ are defined recursively as 

■S/ = ■S7-2 - for; = 2 ,...,n 

So= 1 
= 0 

tj = tj-2 - qj-itj-i = 2, . . . , « 
to = 0 

L = 1 

and the qj and r, are as in the Euclidean algorithm. 

Proposition 1 3 . If a, b, and c are positive integers with a and b relatively prime, and 
such that a\bc, then a\c. 

Proposition 14 . Suppose Ui, 02, ■■■, a„ are positive integers, and p is a prime which 
divides aia2 . . . a„. Then there is an integer i such that 1 < i < n and pla,. 

Proposition 15 . (The Fundamental Theorem of Arithmetic.) Every posi- 
tive integer n greater than 1 can be written in the form n=piP2 . . . where each p, is prime, 
i = 1 , 2 , . . . , n. Furthermore, this representation is unique. 

Proposition 1 6 . Let a and b be integers with d = (a, b). If d\c, the integer solutions x 
and y of the equation ax + by = c are x = Xo + bnid, y = yo — anid, where x = Xo,y = yoisa 
particular solution. If -f c, the equation has no integer solutions. 

Proposition 1 7 . Integers a and b are congruent modulo m iff 3 an integer k such that 
a = b + km. 

Proposition 1 8 . Let a, b and c be integers, and let m be a positive integer. Then 

a. a = a (mod m) 

b. a = b (mod m) implies b = a (mod m) 

c. a = b (mod m) and b = c (mod m) implies a = c (mod m). 

Proposition 1 9 . Let a, b, and c be integers, and let m be a positive integer. Suppose 
a = b (mod m). Then 
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a. a + c = b + c (mod m) 

b. a — c = b — c (mod m) 

c. ac = be (mod m). 

Proposition 20. Let a, b, and c be integers, and let m be a positive integer. Suppose 
a = b (mod m), and c = d (mod m). Then 

a. a + c = b + d (mod m) 

b. a — c = b — d (mod m) 

c. ac = bd (mod m). 

Proposition 21 . Let a, b, and c be integers, and m a positive integer. Let d = (c, m), 
and suppose ac = be (mod m). Then a = b (mod m/d). 

Proposition 22. Suppose ax= b (mod m), where a, b, and m are all positive integers. 
Let d = (a, m). If d b, the congruence has no solution for x. If d\b, then there are exactly 
d incongruent solutions modulo m, given hy x = Xq + tm/d, where Xq is a particular solution 
to the linear diophantine equation ax + my = b, and t = 0 , 1 , . . . , d — 1. 

Proposition 23. When matrices are used to represent a system of linear congruences, 
the three elementary row operations for matrices do not affect the solution(s) of the corre- 
sponding system of congruences modulo n. 

Proposition 24. Suppose two n X k matrices A and B are such that A = B (mod m). 
Then AC = BC (mod m) for any kX p matrix C, and DA = DB (mod m) for any qX n matrix 
D. 

Proposition 25. Suppose integers ai, 02, . . . , a„ are pairwise relatively prime. Then 
{aia2 ■ ■ ■ a„)\c if and only if aje, 02!^, • . . , a„\c. 


Proposition 26. Let a = b (mod mi), a = b (mod m2 ), . . . ,a = b (mod mj where aj, 
a2, ■ ■ ■ ,a„ are pairwise relatively prime. Then we have a = b (mod mim2 . . . m„). 

Proposition 27. (The Chinese Remainder Theorem.) Suppose m^, m2, . . . ,m„ 

are pairwise relatively prime. Then the system of congruences 

X = ai (mod mj) 

X = (mod m3) 


X = a„ (mod m„) 

has a unique solution modulo M = mim2 . . . m„, namely. 


X = fliMiyi + a2M2y2 + . . . + a„M,j>„ (mod M) 
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where M,- = M/m,- and y,- is an inverse of M; modulo m,\/ i = \,2, . . . , n. 

Proposition 28. If p is an odd prime and p a, then the congruence = a (mod p) 
has either no solutions or exactly two incongruent solutions modulo p. 

Proposition 29. (Fermat's Little Theorem.) Let p be prime and b an integer 
such that p b. Then V = 1 (mod p). 

Proposition 30. Let /? be a prime congruent to 3 modulo 4, and a an integer such that 
p a. Then if the congruence = a (mod p) has solutions, they are x = a^*'*^'* (mod p), 
and X = — a^*'*^'* (mod p). 

Proposition 31 . Let n=pq where p and q are primes congruent to 3 modulo 4, and let 
a be an integer such that 0<a<n. Suppose the equation x^ = a (mod n) has a solution. Then 
all the solutions are given by 

X = ±{zqqp' ± wppq') (mod n) 

where z = w = qp’ is an inverse of q modulo p, and p^: is an inverse of p mod- 

ulo q. 

Proposition 32. Let n = pq, where p and q are primes congruent to 3 modulo n. Sup- 
pose a is an integer relatively prime to n, and that the congruence 

ax^ + bx + c = 0 (mod n) 

has a solution. Then all the solutions are given by 

X = {±{a' {{2' bf'a ' — 2'a'b)qqp. + {±{a' {{2' bfa' — — 2'a'b)pp^. 

(mod n). 

Proposition 33. There are infinitely many primes of the form Ak + 3. 

Proposition 34. Let p be prime, and suppose x^ = 1 (mod p). Then x = 1 (mod p) or 
X = — 1 (mod p). 

Proposition 35. If n is prime and is a positive integer such that n T fo, then n passes 
Miller’s test for the base b. 

Proposition 36. Suppose n is an odd, composite positive integer. Then n fails Miller’s 
test for at least 75 percent of the test bases b where \ <b<n — 1. 

Proposition 37. If p is prime and b an integer such that p A' b, then 

a. the positive integer x is a solution to = 1 (mod p) iff \b\p divides x. 

b. \b\p divides p — 1. 

Proposition 38. Suppose p is prime and b an integer such that p A' b. Then, if i and j 
are nonnegative integers, b' = b' (mod p) iff i = j (mod \b\p). 
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Proposition 39. If g is a generator modulo p, then the sequence of integers g, g^, . . . , 
g'’ ' is a permutation of 1, 2, . . . , — 1. 

Proposition 40. If \b\p = t and m is a positive integer, then \b"\p = tl(t, u). 

Proposition 41 . Let r be the number of positive integers not exceeding p — I that are 
relatively prime to /? — 1 . Then, if the prime p has a generator, it has r of them. 

Proposition 42. Every prime has a generator. 

Proposition 43. Let p be prime, and let g be a generator modulo p. Suppose a and b 
are positive integers not divisible by p. Then we have all of the following: 

a. logl = 0 (mod p — 

b. log(ah) = logo + logh (mod p — 1) 

c. log(a*') = k ■ logfl (mod p — 

where all logarithms are taken to the base g modulo p. 




APPENDIX 


Information Theory 


Information theory is closely related to cryptography. Cryptanalysts use results obtained 
by information theorists to help them crack ciphers, and cryptographers use similar 
results when crafting cryptosystems and choosing keys. Information theory provides tools 
that allow us to measure the amount of information in a message. Cryptographers attempt 
to keep this information to a minimum, while cryptographers exploit this tiny amount of 
information to help them determine a probable plaintext for a given ciphertext. 


All.l ENTROPY OF A MESSAGE 

If we define the amount of information in a message as the minimum number of bits (includ- 
ing fractions of a bit!) needed to encode all possible meanings of the message, we can obtain 
a measure of that information. For example, suppose we are looking at the following bit 
stream message 

1010011010001010101000001010100010001010100110101000010010 

00101010100100 

which we know indicates a month of the year. Regardless of the actual length of the mes- 
sage, we could say that the message contains only about 3 or 4 bits of information, since it 
only takes that many bits to code up all possible months. (See Table A2.1.) 

We define the entropy E{M) of a message M as 

E{M) = logjw 

where n is the number of possible meanings of M, where each meaning is equally likely. Thus 
the entropy of a message M' signifying the month is 

EiM’) = log2l2 s 3.5849625007211561814537389439478. 
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TABLE A2.1 



Questions 

What is the entropy of a message that signifies 

1. A day of the week? 

2. A day in the month of May? 

3. A time of day in hours, minutes, and seconds? 

What entropy means to a cryptanalyst is that the analyst needs only to learn at most only 
4 bits of a message representing a month to discern the month. For example, consider the 
12 messages in Table A2.2, which represent all of the months in a year: 

In this case, examining only the first 2 bits and the last 2 bits of one of these messages 
will tell you the month. We say that the number of bits required to determine the meaning 
of a message is the uncertainty of a message. In general, entropy and uncertainty are equal. 
Obviously, for the cryptanalyst, the lower the entropy, the better. 


AII.2 RATE OF A LANGUAGE 

What is the entropy of any English message? This is what the analyst really wants to know. 
If we are using only upper case letters (there are 26 such letters), then certainly the entropy 
is no more than 
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Month Message 


January 

February 

March 

April 

May 

June 

July 

August 

September 

October 

November 

December 


000101001 000001 01 001 1 1 001 01 01 01 01 000000101 01 001 0001 01 1 01 000000000000 
00001 1001000101 0100001001 01 001 001 01 01 01 01 000001 0101001011001 000000001 
010110101 000001 01 01 001 001 00001 101 00100000000000000000000000000000000001 0 
01 00001 01 01 00000101 001 001 001 001 01 001 1 0000000000000000000000000000000001 1 

0001 1 01 01 000001 01011001 0000000000000000000000000000000000000000000000000 
0001 01 001 01 01 01 01 001 1 1 001 0001 010000000000000000000000000000000000000001 
01 01 01 001 01 01 01 01 001 1 0001 01 1 0010000000000000000000000000000000000000001 0 
01 00001 01 01 01 01 01 0001 1 1 01 01 01 01 01 01 001 1 01 01 0100000000000000000000000001 1 
101001101000101010100000101010001000101010011010100001001000101010100100 
100111100100111101010110010001010100110101000010010001010101001000000001 

100111001001111010101100100010101001101010000100100010101010010000000010 
1 0001 0001 000101 0100001 1 01 0001 01 01 001 1 01 01 00001 001 0001 01 01 01 001 000000001 1 


TABLE A2.2 


R = log226 s 4.7004397181410921603968126542567. 

This upper bound R of the entropy is called the absolute rate of a language. For English, 
the value above says that each letter contains about 5 bits of information. In truth, the actual 
amount of information in each letter is much lower than this. 

To find a better estimate of the entropy of a language, we may want to compute the 
entropy for messages of size 1, 2, . . . , N, and use some averaging technique to obtain an 
estimate. 


= [E(Mi)n + E{M2}/2 + . . . + EiMf^)/N]/N 

Here M, represents messages of length i. If we use large values of N, and if we assume 
the entropy converges to some value as N approaches infinity, we can get a good estimate 
of the entropy of a language. 

r = lim (as N 

We call this value r the rate of a language. Many studies have been done to compute r 
for English, and the best estimates obtained so far are around 


r= 1.3. 
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This means each letter in an English message contains only slightly more than a single 
bit of information. If we express the redundancy of a language as its absolute rate minus its 
rate, i.e., 


D = R- r 

then clearly English is a very redundant language, for we have in this case 

D = R-r=4.1 - 1.3 = 3.4. 

This means that on the average, English messages are only about 28 percent real infor- 
mation, and 72 percent wasted space. Such a low value is beneficial to a cryptanalyst, since, 
conceivably, it means the analyst only has to determine around a single bit for each letter 
in a message to determine the message. If we encode characters in bytes (as we usually do), 
the analyst would only need to determine 1 out of every 8 bits to successfully recover a 
plaintext message. (Of course, finding these bits, and making them hard to find is the con- 
tinuing battle between cryptanalyst and cryptographer!) 

If we want to measure the entropy of a cipher, we can simply measure the entropy of its 
key space K. If each key in a key space K is equally likely for a 64-bit cipher, then, since 
there are possible keys to use, the entropy of the cipher is 

E(K) = log22''" = 64 

Of course, for a cryptographer, the higher the entropy of a cipher, the better. 


AII.3 CRYPTOGRAPHIC TECHNIQUES 

In general, a cryptographer wants to decrease the redundancy in messages (likewise, increase 
the entropy), since as we have seen, the more redundant a language is, the easier messages 
are to cryptanalyze. This is done using techniques that can be separated into categories: 
confusion, and diffusion. 

AII.4 CONFUSION 

This technique is intended to make statistical analysis more difficult by replacing plaintext 
items with ciphertext items possessing less redundancy (hence, greater entropy). 

This is commonly done through simple substitution. Eor example, the Caesar cipher 
substitutes letters with other letters, though, as we have seen, the substituted letters contain 
as much redundancy as the plaintext letters, so do little to protect the information. Other sub- 
stitution methods replace entire blocks of characters with other blocks. If, on the average, 
half of the bits of a substituted block change with every bit change in a plaintext block, and 
if one is unable to predict which bits will change, we have ciphertext that appears to have 
greater entropy than the plaintext. 

In practice, however, the conditions required for a successful substitution are often not 
met; that is, sometimes the analyst is able to predict how many bits of ciphertext will change 
for some bit change in the plaintext, and can even know which ciphertext bits will change. 
They can do this with careful study of the ciphertext, and of the mathematical transforma- 
tion used. 
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AII.5 DIFFUSION 

Diffusion spreads the redundancy in the plaintext throughout the ciphertext. That is, it makes 
the crucial bits that the cryptanalyst seeks harder to find. Most often, transposition is used 
to accomplish this. Early transposition ciphers, which mapped characters to characters, 
obviously did not diffuse the redundancy of messages well, since the same characters were 
simply rearranged. A statistical analysis of the ciphertext yielded much the same frequency 
distribution as normal text, and rearranging the letters was often quite simple. When trans- 
position was eventually used with fractionation (i.e., moving single bits, or parts of the 
plaintext different than the size of a character), it was much more effective. 

AII.6 COMPRESSION 

There is a good technique for generally decreasing the redundancy in a message: compress 
it. A compressed message contains the same amount of information as the original in less 
space. That is, compressed messages contain less redundancy. For this reason, cryptogra- 
phers often compress messages before enciphering them. This also has the added benefit of 
yielding a shorter message that can be stored and transmitted using less resources. 

There are many excellent compression techniques. Often, the compression method is 
linked to the type of data it is intended to compress. For example, a compression algorithm 
intended to compress text would be different from one intended to compress a bit map 
image. Good compression algorithms exploit the particular redundant characteristics of the 
data they are supposed to compress. 

I£xAIVIPLE. Here is a simple example of compressing text consisting of only upper case Eng- 
lish letters. The typical encoding of characters is 1 byte each; however, we know that we can 
reduce this to 5 bits per character, because we can code up each character as shown in Table 
A2.3. 

The last character in the table will be a special marker character we may pad our bytes 
with when compressing. We will remove it should we decompress the message. Given the 
length of these characters, we should be able to fit 3 characters into 2 bytes. We can do this 
in the simplest way; suppose we want to compress the message “DOG.” 

We skip the first bit of the first byte, and place the character bits after that, as shown in 
Table A2.4. 

If we have a message that is not a multiple of 3 bytes, we use the pad character for the 
last 1 or 2 characters. Random salt can be placed in the unused bit. 

□ 

Java Algorithm Here is a Java program that compresses text according to this scheme: 

import j ava . math . * ; 
public class CharCompressDemo { 
static int posA='A'; 

public static void main (String [ ] args) { 

String incoming=args [0] . toUpperCase { ) ; 

if ( incoming . length {) %3==1 ) incoming+=" { [ " ; 


Character 


Code 


A 

00000 

B 

00001 

C 

00010 

D 

00011 

E 

00100 

F 

00101 

G 

00110 

H 

00111 

1 

01000 

J 

01001 

K 

01010 

L 

01011 

M 

01100 

N 

01101 

0 

OHIO 

P 

01111 

Q 

10000 

R 

10001 

S 

10010 

T 

10011 

U 

10100 

V 

10101 

w 

10110 

X 

10111 

Y 

11000 

z 

11001 

<pad character> 

11010 
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TABLE A2.4 





EB 

Unused 

0 

D 

0 0 0 1 1 

0 

0 1110 

G 

0 0 110 


else if { incoming. length () %3==2 ) lncoming+=" [ " ; 
byte [ ] original=incoming . getBytes { ) ; 

Blglnteger origNum=new BlgInteger{l,original); 

System. out .println ( "Original string in binary : \n"+origNum. toString (2 )) ; 
byte[] compressed=new byte[2*incoming.length()/3]; 
compress (original , compressed) ; 

Blglnteger compNum=new BlgInteger(l,compressed); 

System. out. println("Compressed string in binary : \n"+compNum. toString (2)); 


} 

public static void compress (byte [ ] o,byte[] c) { 
for (int i=0 , j =0 ; i<o . length-2 ; i+=3 , j +=2 ) { 
int cl=o [i] -posA; 
int c2=o [i+1] -posA; 
int c3=o[i+2] -posA; 

int resl=0 , res2=0 ; 

//Do the first compressed byte 
//Put 1st value shifted 2 bits up 
resl=resl I (cl«2) ; 

//Put first 2 bits of 2nd value In lo position 
resl=resl I (c2»>3 ) ; 

//Do the second compressed byte 

//Put last 3 bits of 2nd value in high position-mask out first 5 bits 
res2=res2 I ( (c2&7) «5) ; 

//Put 3rd value in lo position 
res2=res2 I c3 ; 
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c [ j ] = (byte) resl ; 
c [ j+1] = (byte) res2 ; 


Here is a sample run of the program. Check its results for correctness (bear in mind that 
the program does not display the leading zeros). 

C:\ java>java CharCompressDemo LOULOUSKIPTOMYLOUSKIPTOMY 
LOUMYDARLIN 


Original string in binary: 

1001100010011110101010101001100010011110101010101010011010010 

1101001001010100000101010001001111010011010101100101001100010 

0111101010101010100110100101101001001010100000101010001001111 

0100110101011001010011000100111101010101010011010101100101000 

1000100000101010010010011000100100101001110 


Compressed string in binary: 

1011011101010000101101110101000100100101001000001111100110111 

0001100110000101100111010100100100010100100001111010011011100 

1100011000010110111001010001100110000000110000010001001011010 

0001101 

You may want to write a program that decompresses messages of this type; consider 
how you might do this. The topic of compression is as interesting as anything in cryptog- 
raphy, and I encourage you to study it. 
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